1. keyboardweeb's Avatar
    Ask the drive by comments to state why BBM is not secure. Would be interesting if they would first define secure and then state where BBM falls short,
    Everyone seriously participating in this thread seems to acknowledge that end-to-end encryption is not the necessary and sufficient condition to ultimate security and privacy.
    Have we been reading the same thread? Seeing these two posts, I'm not so sure, and that last statement I honestly can't fathom where that idea might have come from.

    Posted on my Model M
    11-01-16 07:03 PM
  2. app_Developer's Avatar
    That's the point, which I think is clear now. Everyone seriously participating in this thread seems to acknowledge that end-to-end encryption is not the necessary and sufficient condition to ultimate security and privacy.

    I hope it's also agreed that "better than" depends--just as "secure enough" depends--on what the user needs.
    Is BBM Protected more secure than BBM? If not, what does "Protected" mean exactly?

    It seems BB think e2e encryption is so valuable that people will actually pay extra for it.
    JeepBB and Dunt Dunt Dunt like this.
    11-01-16 08:37 PM
  3. sinkingphoenix's Avatar
    Reading the report (with a focus on BBM security, as I only use that system right now) , I think the scoring is fair. Anyone who has a bit deeper knowledge of cryptography and security knows that the default BBM chat falls short in terms of security when compared to the likes of Apple or Whatsapp. I'm a bit sad that they did not include Signal, as I believe it would have come in first place, but it's probably not known enough.

    Posted via CB10
    11-02-16 04:46 AM
  4. werkregen's Avatar
    Reading the report (with a focus on BBM security, as I only use that system right now) , I think the scoring is fair. Anyone who has a bit deeper knowledge of cryptography and security knows that the default BBM chat falls short in terms of security when compared to the likes of Apple or Whatsapp. I'm a bit sad that they did not include Signal, as I believe it would have come in first place, but it's probably not known enough.

    Posted via CB10
    I love Signal and their approach. They are trying to make a secure AND private messenger, that can also be easily used by the masses.

    By doing just basic research, I think chatsecure with omemo on IOS and conversations on Android are possibly THE most secure and private cross-platform messaging solutions. Better than Signal because they don't need phone numbers, or Google play services, but a bit more difficult to set-up.

    Posted via CB10
    11-02-16 06:39 AM
  5. aiharkness's Avatar
    Is BBM Protected more secure than BBM? If not, what does "Protected" mean exactly?

    It seems BB think e2e encryption is so valuable that people will actually pay extra for it.
    The answers are not hidden. Someone else linked to the security white paper on standard BBM. The same for BBM Protected is also easily found.

    I don't want to speak for BlackBerry, but I still say it is obvious that it thinks it is offering added value at a fair market price, and end-to-end encryption is part of that service. Is that a realistic assessment on their part--added value at a fair market price? I don't know.
    11-02-16 06:42 AM
  6. aiharkness's Avatar
    Have we been reading the same thread? Seeing these two posts, I'm not so sure, and that last statement I honestly can't fathom where that idea might have come from.

    Posted on my Model M
    I've noticed remarks like that a lot. Either it is an attempt to be dismissive, or perhaps we have read the thread and taken different interpretations. Whatever. I think I've been clear what thoughts I was addressing and the reasoning behind my comments. Anyone else is free to do the same.
    11-02-16 06:46 AM
  7. bobshine's Avatar
    There doesn't seem to be consensus on what "secure enough" means.
    To me, end-to-end encryption with private keys is "secure enough" and BBM Protected does a great job of it.

     Passport filter-evading the NSA  Make BlackBerry Great Again!
    Secure enough means good for your needs. Most people, simple encryption is good. People that deals with confidential information from clients would need end to end encryption. Government would need higher grade
    11-02-16 07:10 AM
  8. aiharkness's Avatar
    There doesn't seem to be consensus on what "secure enough" means.
    To me, end-to-end encryption with private keys is "secure enough" and BBM Protected does a great job of it.

     Passport filter-evading the NSA  Make BlackBerry Great Again!
    Secure enough means good for your needs. Most people, simple encryption is good. People that deals with confidential information from clients would need end to end encryption. Government would need higher grade
    The standard BBM matter seems to me to confuse many because it spans from the BBOS system to BB10 and also across platforms. Someone linked the security white paper that explains the various situations. But in the "best case" situation now with standard BBM the message is encrypted in transit between device and server, but not as it transits the server. That, apparently, is enough for some to assess that standard BBM is not secure. My question is whether you are really worried about it. Not you putting yourself in someone else shoes who might be worried about it, but you, are you worried about it. And I've already argued that there is more to consider than just end-to-end encryption.

    One more opinion from me. There are many reasons someone who is law abiding would want or need the message encrypted as it transits the server, and not just encrypted on the transit to and from the server. Could be professional standards or industry regulations that would require it generally as part of confidentiality requirements, and those under such rules would not be the typical consumer user. The point is that these users probably aren't in a position to decide whether standard BBM is secure enough because in a general sense that decision is being made for them irrespective if BlackBerry servers or anyone's servers.
    11-02-16 08:32 AM
  9. sinkingphoenix's Avatar
    Secure enough means good for your needs. Most people, simple encryption is good. People that deals with confidential information from clients would need end to end encryption. Government would need higher grade
    Why would you go for something less secure (no end2end encryption) if the alternative is easy to achieve and used by competitors?
    There is no significant tradeoff for achieving end2end encryption, so saying BBM encryption is good enough might not only be false for e.g. human rights activists in certain countries, there is also no need to artificially stay at a lower level of security for most other persons, and that BlackBerry can provide end2end encryption is proven with BBM protected.

    Posted via CB10
    11-02-16 11:42 AM
  10. keyboardweeb's Avatar
    I've noticed remarks like that a lot. Either it is an attempt to be dismissive, or perhaps we have read the thread and taken different interpretations. Whatever. I think I've been clear what thoughts I was addressing and the reasoning behind my comments. Anyone else is free to do the same.
    Yet, you haven't noticed the posts where BBM's shortcomings have been described?

    And I'm sorry, I haven't been able to get over when you said:

    Everyone seriously participating in this thread seems to acknowledge that end-to-end encryption is not the necessary and sufficient condition to ultimate security and privacy.
    which is false. End to end encryption is very much a necessary pre-requisite for security and privacy of communication (and communication over the internet especially). Perhaps the "not" in that statement was a typo? Perhaps it was egregiously misworded and you never meant to imply that you can have security and privacy (again, particularly in networks) without trustworthy end to end encryption?

    Posted on my Model M
    11-02-16 07:55 PM
  11. app_Developer's Avatar
    End to end encryption is very much a necessary pre-requisite for security and privacy of communication (and communication over the internet especially). Perhaps the "not" in that statement was a typo?
    Like you, I'm another person who is seriously participating in this thread who also believes that e2e encryption is necessary (but not sufficient) to consider communication as secure.

    This is a fundamental feature of secure communication: I should be able to send you a message such that there is very little chance that someone other than you would be able to read that message or alter that message.

    In free BBM, we know that the recipient is not the only person who can read that message. It's not even a case of there being a non-neglible probability that someone can read the message. It is known with certainty that BlackBerry, and very soon another company Emtek, can read every message you send on free BBM.

    For some people that may not be an issue. That I understand. However, getting back to the OP's question, by any reasonable definition of security you have to say that BBM is less secure than other choices that are now available. Whether it's "good enough" is of course something each person or family or group or company has to decide.
    keyboardweeb, Uzi, JeepBB and 3 others like this.
    11-02-16 09:13 PM
  12. bobshine's Avatar
    Why would you go for something less secure (no end2end encryption) if the alternative is easy to achieve and used by competitors?
    There is no significant tradeoff for achieving end2end encryption, so saying BBM encryption is good enough might not only be false for e.g. human rights activists in certain countries, there is also no need to artificially stay at a lower level of security for most other persons, and that BlackBerry can provide end2end encryption is proven with BBM protected.

    Posted via CB10
    Well if BBM security is secure enough, why use something else if you like other features they provide? That's the point. It all depends on ones priority and needs.

    I don't use BBM cause it's not secure enough nor practical to communicate with my clients.
    11-02-16 09:37 PM
  13. Loc22's Avatar
    Well if BBM security is secure enough, why use something else if you like other features they provide? That's the point. It all depends on ones priority and needs.

    I don't use BBM cause it's not secure enough nor practical to communicate with my clients.
    Simple because WhatsApp just use phone numbers and that's what you have of every friend, family member, colleagues and customers. How else is it more convenient to contact them?

    It also has less features so it gives a chance for people to download many many apps to use to fulfil their needs.
    11-02-16 10:36 PM
  14. aiharkness's Avatar
    Yet, you haven't noticed the posts where BBM's shortcomings have been described?

    And I'm sorry, I haven't been able to get over when you said:



    which is false. End to end encryption is very much a necessary pre-requisite for security and privacy of communication (and communication over the internet especially). Perhaps the "not" in that statement was a typo? Perhaps it was egregiously misworded and you never meant to imply that you can have security and privacy (again, particularly in networks) without trustworthy end to end encryption?

    Posted on my Model M
    Read again. I wrote necessary and sufficient. The word sufficient matters. Perhaps we wouldn't disagree if you read more carefully.
    11-03-16 06:37 AM
  15. app_Developer's Avatar
    Read again. I wrote necessary and sufficient. The word sufficient matters. Perhaps we wouldn't disagree if you read more carefully.
    Maybe you could clarify what you meant. Here is the quote again:

    ...end-to-end encryption is not the necessary and sufficient condition to ultimate security and privacy
    Which of these are you saying:
    1. e2ee is neither necessary nor sufficient? or
    2. e2ee is necessary but is not not sufficient? or
    3. e2ee is sufficient, but not necessary?


    If you are saying (2) then I would agree.
    aiharkness likes this.
    11-03-16 09:55 PM
  16. aiharkness's Avatar
    Maybe you could clarify what you meant. Here is the quote again:



    Which of these are you saying:
    1. e2ee is neither necessary nor sufficient? or
    2. e2ee is necessary but is not not sufficient? or
    3. e2ee is sufficient, but not necessary?


    If you are saying (2) then I would agree.
    I would be happy to answer. Thanks for asking.

    First, I should be clear. I think the ability to communicate privately and securely is a human right. When the authorities want to keep the ability to encrypt from you, that is reason enough to use it. Exercise your rights.

    So, "necessary and sufficient".... I mean #2

    A requirement or set of requirements that must be met in order to achieve a purpose may be only the subset of steps necessary. It may not be all of the requirements or steps.

    The full, or complete set of requirements, or steps, or procedures, or pick your term, that must be practiced or performed in order to achieve the intended purpose is the necessary and sufficient set.

    I sense that many--not just here, but on other forums as well--believe that end-to-end encryption is the be all and end all--the necessary and sufficient condition--to complete and total privacy and security. I have been arguing that it is not. I hope I have swayed some opinions.

    As I say, I believe people should exercise their rights, and no time like the present to do it; but just understand the service(s), understand what it does, understand what it doesn't do, etc.
    11-04-16 06:46 AM
  17. Wmsi's Avatar
    @app_Developer

    Who is Emtek? Why will they be able to read my BBMs?
    11-04-16 08:33 AM
  18. app_Developer's Avatar
    @app_Developer

    Who is Emtek? Why will they be able to read my BBMs?
    Emtek is the partner who will now be developing and operating BBM worldwide.
    Wmsi likes this.
    11-04-16 11:52 AM
  19. bobshine's Avatar
    There is a big debate here in Canada about what police can or cannot do because it was unearthed that authorities where monitoring a journalist's iPhone.

    The reason why this matters is that they wanted to know the source of that journalist, and it was in regard to an investigation about the police.

    That brings up a whole lot of questions: should all communications be encrypted to prevent abuses by the authorities? If that happens, then what can authorities do vs the real criminals?

    Also carriers has tons and tons of information about us. Recently, police sent out 7500 text messages to cellphone users that was connected to a specific cell tower on a certain day at a certain time... looking for witnesses to a murder. This proved that with the best end to end encryption, surveillance can still be achieved with crazy precision.
    11-04-16 12:24 PM
  20. aiharkness's Avatar
    Emtek is the partner who will now be developing and operating BBM worldwide.
    I started searching and reading on Emtek partly because of its mention in this thread and another BBM thread (BBM enterprise). I haven't followed it closely so I probably have missed something. Do you have a link, or links, or remember the source? So far what I've read is Emtek is licensing tech and will have use of APIs to deliver content. This is different from the impression I'm getting from the threads is what you say here, that Emtek is taking over the consumer BBM and what was BBM protected (and now BBM Enterprise?) on iOS and Android platforms. ....

    Not arguing. Just trying to get all the information.

    If too far afield from the topic, I understand.
    11-04-16 12:43 PM
  21. aiharkness's Avatar
    There is a big debate here in Canada about what police can or cannot do because it was unearthed that authorities where monitoring a journalist's iPhone.

    The reason why this matters is that they wanted to know the source of that journalist, and it was in regard to an investigation about the police.

    That brings up a whole lot of questions: should all communications be encrypted to prevent abuses by the authorities? If that happens, then what can authorities do vs the real criminals?

    Also carriers has tons and tons of information about us. Recently, police sent out 7500 text messages to cellphone users that was connected to a specific cell tower on a certain day at a certain time... looking for witnesses to a murder. This proved that with the best end to end encryption, surveillance can still be achieved with crazy precision.
    A few thoughts.....

    What you mention about the journalist is happening not just in Canada. Not just with smartphones. And those doing the snooping probably didn't need the contents of the communication to identify the journalist's source. Of course, those doing the snooping would probably be happy to have the contents of the communication; but to just identify the source, odds are they didn't need it.

    The balance between protecting your rights and not unreasonably hindering the authorities is a tough one. I'm not even sure of my word choice, "unreasonably hindering". On one hand, I really, truly believe what I wrote above. Use of encryption is your right. I also think that authority tends to gradually want it all, "it" being control, information, data, the ability to read anyone's communication without any bureaucratic hassles if the need arises, whatever. If you and some critical mass of others don't exercise your rights, you and everyone will lose those rights a bit at a time. But on the other hand, when we are talking about the authorities, we know that they have the resources and the manpower to accomplish whatever they want to accomplish. Encryption doesn't make them incapable just as the authorities are not incapacitated by "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." (off course, where these rights are recognized)

    Forget the carriers. That's a drop in a very big, gigantic bucket. Look up the story on the law-abiding Florida guy who was stopped when driving through Maryland and searched because he has a carry permit in Florida. The system in use by the authorities scanned his tag automatically as he entered or exited a tunnel on I-95, looked him up automatically, showed that he has a carry permit in Florida, and from there the authorities pulled him and over and searched him and his vehicle looking for a gun (which he didn't have, by the way). The gun part of the story is incidental. Tons of commercial entities and state and federal government agencies have all kinds of information on you, and it is shared and sold, and it is retrievable and actionable in real time, depending on the intent and motives of those doing the looking and acting.
    Last edited by aiharkness; 11-04-16 at 01:35 PM.
    11-04-16 01:19 PM
  22. Dunt Dunt Dunt's Avatar
    I started searching and reading on Emtek partly because of its mention in this thread and another BBM thread (BBM enterprise). I haven't followed it closely so I probably have missed something. Do you have a link, or links, or remember the source? So far what I've read is Emtek is licensing tech and will have use of APIs to deliver content. This is different from the impression I'm getting from the threads is what you say here, that Emtek is taking over the consumer BBM and what was BBM protected (and now BBM Enterprise?) on iOS and Android platforms. ....

    Not arguing. Just trying to get all the information.

    If too far afield from the topic, I understand.
    BLACKBERRY AND EMTEK FORGE PARTNERSHIP TO ACCELERATE AND ADVANCE BBM?S CONSUMER BUSINESS GLOBALLY -

    As Emtek advances the platform for the consumer market, BlackBerry will continue to advance the platform for enterprise with BBM Protected, the world’s most secure cross-platform messaging service. BBM Protected provides enterprise-grade messaging for Android, iOS, BB10 and BBOS, and enables users to stay connected and engaged with each other through real time messaging, voice and video communications.
    It's not really clear that EMTEK is going to have full operational access, or if they will simple be in control of content. But another article made it sound like they planned to make really big changes to expend BBM to much more than messaging, which would require a lot of changes to be made to the coding. To be honest the first thing I would do if I were Emtek would be to provide e2e encryption so that BBM doesn't further lose it's position in the Indonesian market where MOST of the BMM users are.

    But everything I seen indicates the Emtek is now the Global licensee for BBM (not Protected)... Have to wonder what if anything they care about users outside of the Indonesian market?
    11-04-16 01:43 PM
  23. aiharkness's Avatar
    Like you, I'm another person who is seriously participating in this thread who also believes that e2e encryption is necessary (but not sufficient) to consider communication as secure.

    This is a fundamental feature of secure communication: I should be able to send you a message such that there is very little chance that someone other than you would be able to read that message or alter that message.

    In free BBM, we know that the recipient is not the only person who can read that message. It's not even a case of there being a non-neglible probability that someone can read the message. It is known with certainty that BlackBerry, and very soon another company Emtek, can read every message you send on free BBM.

    For some people that may not be an issue. That I understand. However, getting back to the OP's question, by any reasonable definition of security you have to say that BBM is less secure than other choices that are now available. Whether it's "good enough" is of course something each person or family or group or company has to decide.
    First, I would probably retract my use of "serious" but I at least want to qualify it now at this point. I appreciate that there are many who are thoughtfully engaged in conversation. The one-liner wise cracks are frustrating to me. That's what I was getting at. I appreciate thoughtful argument even when it disagrees with me.

    So, a quibble. Yes, I understand that standard BBM messages transit the BlackBerry servers in a form that is readable by BlackBerry or anyone that BlackBerry assists, and by anyone who captures those messages in the "scrambled" form who also has the global key. To state succinctly , those standard BlackBerry messages as they transit the BlackBerry servers can be read, as you state.

    However, "can happen" is not the same as "will happen", and it doesn't necessarily mean catastrophe if it does happen. I'm not making a I-don't-have-anything-to-hide-so-I-don't-care argument. Rather, I'm saying your potential jeopardy isn't just assessed by the vulnerability, but by the probability that vulnerability will be used, and the consequences for you if it is.

    Personally, I was fine with standard BBM. Again, I'm not making the I-don't-have-anything-to-hide statement, just saying that in the big picture I was fine. For what it's worth, I'm a BlackBerry enthusiast going way back, and I'm using BBM Protected because I can and I'm exercising my right to use encryption. There is no more to it than that.
    11-04-16 02:03 PM
  24. aiharkness's Avatar
    BLACKBERRY AND EMTEK FORGE PARTNERSHIP TO ACCELERATE AND ADVANCE BBM?S CONSUMER BUSINESS GLOBALLY -



    It's not really clear that EMTEK is going to have full operational access, or if they will simple be in control of content. But another article made it sound like they planned to make really big changes to expend BBM to much more than messaging, which would require a lot of changes to be made to the coding. To be honest the first thing I would do if I were Emtek would be to provide e2e encryption so that BBM doesn't further lose it's position in the Indonesian market where MOST of the BMM users are.

    But everything I seen indicates the Emtek is now the Global licensee for BBM (not Protected)... Have to wonder what if anything they care about users outside of the Indonesian market?
    Yeah. Not clear to me that Emtek would be anything more than a content provider, or would have access to anything other than what is involved it interaction with the components Emtek provides. I could be missing something, but that's the way I read what I've found.

    It also isn't clear, but sounds like Emtek's license is restrictive to Indonesia. The phrase about the partnership helping extend BBM globally could simply be marketing for this is a piece in our (BlackBerry and BBM) plans to expand globally.

    I have to add, it seems BlackBerry can't catch a break. First they aren't doing enough to give people a reason to buy and use BlackBerry products (which is undeniably true, in my opinion), but then they catch flak for trying. I'd love to see a partner with a license in the USA or North America that would expand BlackBerry Channels to its potential. Probably never going to happen. But I wouldn't complain if it did happen.

    Anyway, I'm still not seeing where Emtek is going to be reading my communications with contacts if I was using standard BBM. If someone is reading between the lines and making an argument that it could go that way, who knows, maybe so.
    11-04-16 02:44 PM
  25. Dunt Dunt Dunt's Avatar
    Yeah. Not clear to me that Emtek would be anything more than a content provider, or would have access to anything other than what is involved it interaction with the components Emtek provides. I could be missing something, but that's the way I read what I've found.

    It also isn't clear, but sounds like Emtek's license is restrictive to Indonesia. The phrase about the partnership helping extend BBM globally could simply be marketing for this is a piece in our (BlackBerry and BBM) plans to expand globally.

    I have to add, it seems BlackBerry can't catch a break. First they aren't doing enough to give people a reason to buy and use BlackBerry products (which is undeniably true, in my opinion), but then they catch flak for trying. I'd love to see a partner with a license in the USA or North America that would expand BlackBerry Channels to its potential. Probably never going to happen. But I wouldn't complain if it did happen.

    Anyway, I'm still not seeing where Emtek is going to be reading my communications with contacts if I was using standard BBM. If someone is reading between the lines and making an argument that it could go that way, who knows, maybe so.
    No they have said a couple of times now that Emtek is BBM.... BlackBerry is BMM Protected.

    But the little I've read about Emtek's plans, is they plan to turn BBM into a entertainment portal and and advertising meca. I doubt that can be done without a big change to the code. But I also doubt it can be done without killing the reason most use BBM in the first place. I've kinda wondered why BlackBerry didn't do a BBM lite and drop the Channels features after that flopped. I think it might make for a more streamline product.... But then I don't know... maybe Channels is a success over in Indonesia and that is what Emtek plans to build on.
    11-04-16 03:04 PM
143 ... 3456

Similar Threads

  1. bbm fails to get HD picture
    By wg7 in forum General BBM Chat
    Replies: 14
    Last Post: 04-09-17, 10:33 AM
  2. priv wont turn on, shows charging but not charging
    By CrackBerry Question in forum Ask a Question
    Replies: 10
    Last Post: 12-30-16, 03:08 PM
  3. Hangouts not working after follwoing Cobalts steps
    By CrackBerry Question in forum Ask a Question
    Replies: 2
    Last Post: 12-22-16, 09:11 AM
  4. Replies: 16
    Last Post: 10-23-16, 03:46 PM
  5. So will Chen pull plug on BBM at some point?
    By prplhze2000 in forum General BlackBerry News, Discussion & Rumors
    Replies: 11
    Last Post: 10-21-16, 03:16 PM
LINK TO POST COPIED TO CLIPBOARD