[Tilman Mueller]

Just read an interesting article on Spiegel Online. Looks like BlackBerry is now officially "like everyone else".

original article (German):
NSA kann auch iPhone, BlackBerry und Android-Telefone auslesen - SPIEGEL ONLINE

international version (English):
Privacy Scandal: NSA Can Spy on Smart Phone Data - SPIEGEL ONLINE



EDIT | I'm not a tinfoilhat person. It's just the case that many BB users still try to argue with that "security feature" - and that seems to be wrong.

[STV0726]

Oh boy here we go...the FUD gates are now open.

As always, if you are using BES, you're fine. The data incoming/outgoing on non-BES BlackBerry devices was never really claimed to be "secure" if you get the facts straight.

But all BlackBerry devices are still most secure BY FAR BES or not in terms of OS code integrity and ability to lock apps down...but that doesn't pertain to data privacy. Security and privacy are two different things. I wish people would realize this before A) making claims overstating non-BES BB security, and B) before linking an article like this and saying "see, BlackBerry is no more SECURE than the others". Both erroneous statements.

~STV on Q10SQN100-5/10.1.0.4780 TMO US

[h20work]

Just read an interesting article on Spiegel Online. Looks like BlackBerry is now officially "like everyone else".

original article (German):
NSA kann auch iPhone, BlackBerry und Android-Telefone auslesen - SPIEGEL ONLINE

international version (English):
Privacy Scandal: NSA Can Spy on Smart Phone Data - SPIEGEL ONLINE



EDIT | I'm not a tinfoilhat person. It's just the case that many BB users still try to argue with that "security feature" - and that seems to be wrong.

Thanks, good find. Pretty much confirmed my thoughts.

[jcarlos100]

So guessing it only applies to people who don't use BES then?

Posted via CB10

[STV0726]

So guessing it only applies to people who don't use BES then?

Posted via CB10

Heh...they claim NSA found a way to crack into "BlackBerry's mail system which was previously thought to be secure..." Their utter lack of specificity makes me seriously question the accuracy and veracity of this information.

BlackBerry's mail system could mean BES, or it could be interpreted a number of other ways, from the BIS email system, the server that figures out mail settings on BlackBerry 10, or even just may be referring to using email on a BlackBerry without BES. If BES was tapped into, that would be big enough of a deal to be specfic and it would make bigger headlines than this site I've rarely heard of.

~STV on Q10SQN100-5/10.1.0.4780 TMO US

[h20work]

Oh boy here we go...the FUD gates are now open.

As always, if you are using BES, you're fine. The data incoming/outgoing on non-BES BlackBerry devices was never really claimed to be "secure" if you get the facts straight.

But all BlackBerry devices are still most secure BY FAR BES or not in terms of OS code integrity and ability to lock apps down...but that doesn't pertain to data privacy. Security and privacy are two different things. I wish people would realize this before A) making claims overstating non-BES BB security, and B) before linking an article like this and saying "see, BlackBerry is no more SECURE than the others". Both erroneous statements.

~STV on Q10SQN100-5/10.1.0.4780 TMO US

No mention of bes or bis. You are assuming they haven't been successful.

"The documents also state that the NSA has succeeded in accessing the BlackBerry mail system, which is known to be very secure. This could mark a huge setback for the company, which has always claimed that its mail system is uncrackable."

Strange part is, like you said no one thought bis was secure so why would the say it was thought to be "unbreakable" ?

[pttptppt]

2 cents says they're full of bs. Just saying, they aren't giving any proof

[neteng1000]

Even if it's true, I'm sure BlackBerry helped them out. I can just hear the conversion "give us the encryption algorithm if you want to continue selling BlackBerry to the DoD"lol

Posted via CB10

[MobileMadness002]

So guessing it only applies to people who don't use BES then?

Posted via CB10

Would also like to point out that all you need is a COW (cell on wheels) to act as a connecting tower, a BIS server to read the BBM traffic, users then connect to this "tower" and ALL traffic can be intercepted that is not encrypted with the BES key.

[sjmartin007]

I doubt this article. Why would the US government still use blackberry If this is so. It just another attempt to discredit blackberry.

Posted via CB10

[amazinglygraceless]

I doubt this article. Why would the US government still use blackberry If this is so. It just another attempt to discredit blackberry.

Because BlackBerry's used by and within governmental entities (especially Federal) are almost always on BES. This is nothing to do with discrediting BlackBerry (where do you people come up with this nonsense?) but more an issue of people NOT understanding the security differences that separate BlackBerry Internet Service (general consumer) and BlackBerry Enterprise Service.

[Tilman Mueller]

�hm...

Just to point out. I'm not bashing on BlackBerry.
I just wanted to recommend an interesting article, or at least what I think it was.

By the way. Consumers aren't on BES (normally) so my statement, that BlackBerry is like everyone else right now, isn't that wrong. I mean sure. You can say that this never has been the case, but at least it was my understanding that "security" is a feature, many BlackBerry users are proud of.

[amazinglygraceless]

�hm...

Just to point out. I'm not bashing on BlackBerry.

I don't think anyone thought you were...if anyone says that I'll punch them in the nose for you

I just wanted to recommend an interesting article, or at least what I think it was.

...and it is

By the way. Consumers aren't on BES (normally) so my statement, that BlackBerry is like everyone else right now, isn't that wrong. I mean sure. You can say that this never has been the case, but at least it was my understanding that "security" is a feature, many BlackBerry users are proud of.

Again this stems from the twofold problem of people (a) not understanding the security aspects of BlackBerry, or any other device for that matter and (b) people mistakenly interchanging the concepts of security and privacy. Not even close to being the same. I close my drapes for privacy, I have a monitored alarm system (and a .45 ACP ) for security.

[jeffydude05]

RIM Plays Defense as Snowden Leaks Touch BlackBerry - Digits - WSJ

Blackberry is still the most secure in general terms...against everything but the NSA . I think it's pretty naive to believe that they can't...

[anon2100101]

I recognize four aspects:
1. how naive some people are cause they think the have nothing o hide therefore the NSA can�t be interested in their data traffic...
2. how indifferent a lot of people are about spying their life (and pay a lot of money to avoid spy-software on their PC)
3. who needs enemies with an (american) friend like the NSA... It doesnt helps to enhance the reputation of the USA!
4. The BES is also hacked- industrial espionage in the dishonest name of defense against terror....

Rammstein: "Amerika ist wunderbar".... If you�re able to- translate the lyrics...

[MKDS]

I recognize four aspects:
[snip]
4. The BES is also hacked- industrial espionage in the dishonest name of defense against terror....
[/snip]

I am genuinely interested if BES is also affected - did you (or anyone) find a source regarding this issue?

The article in 'Spiegel' is the more recent article albeit the WSJ reported the same issue two month earlier. Even though the article in Spiegel isn't as detailed as I had hoped, the WSJ blog post from June leaves me under the impression that BES *might* not be affected.

It really is an interesting question and leaves my with another question: how about the security of the phone itself (and not regarding the BB mail infrastructure).

I am looking forward to an interesting discussion and hope to have the two questions answered.

[Poirots Progeny]

Fascinating discussion - and glad people (well some) are being objective, and also highlighting the difference between privacy and security. There is a difference, though both are important, in their own way.

If the man wants your info, he'll get it, whatever you're using. If you're transmitting sensitive corporate info, or whatever, you'd be foolish not to encrypt it. As far as I know, BlackBerry 10 doesn't have a pgp client - blow fish, two fish and serpent are out of the question (again, as far as I know) so what to do? I don't know.

Would love to hear more on this!

Posted via CB10 on my BlackBerry Q10

[Poirots Progeny]

Oh, Bes may offer some additional protection - and that's great. For the consumer... well what? BlackBerry don't support consumer vpns - like openvpn. I understand why (they are selling their own product, and consumers don't generally want, need nor care about wanting vpn access - I do) and it's frustrating.

Anyone know a way to deal with this issue also? Again, the man will probably have a way in... eventually...

What a world we live in!?

What happened?

Posted via CB10 on my BlackBerry Q10

[belarkan]

You guys should read Ars Technica for a better Knowledge of what has been disclosed by Snowden.
I really fail to see how blackberry could be safe, if not accomplice.
They implemented backdoors in https, ssl and many other encryption systems, with the help of the vendors, or the certifications authorities.
They can decrypt often in real time...

Posted via CB10

[belarkan]

http://arstechnica.com/security/2013...rypto-but-how/

Posted via CB10

[anon62607]

I am genuinely interested if BES is also affected - did you (or anyone) find a source regarding this issue?

The article in 'Spiegel' is the more recent article albeit the WSJ reported the same issue two month earlier. Even though the article in Spiegel isn't as detailed as I had hoped, the WSJ blog post from June leaves me under the impression that BES *might* not be affected.

It really is an interesting question and leaves my with another question: how about the security of the phone itself (and not regarding the BB mail infrastructure).

I am looking forward to an interesting discussion and hope to have the two questions answered.

BIS should be trivial to the point of not worth mentioning that the NSA can break it.

I would presume that it's BES that they are talking about, but I also presume that it's not an attack on the cryptographic stream that they are breaking. However, the mention of the change of a compression system temporarily defeated the attack and that sort of implies that they are able to break the encryption itself, which is almost unbelievable - but the implication is there. With a known compression scheme there is a part of the message which will be known and that will aid in the decryption attempt. It's contributing a known plaintext, though only part of the width of a cryptographic block.

BES is not something I would rely on anyway to protect against a national intelligence resource and particularly not the NSA. BES still relies on the ability to indoctrinate / enroll a new device into an organization and thus supply a new device with the symmetric keys and thus those keys must be available and vulnerable to an organization willing and able to penetrate the server that those keys are located, and message keys are not "forward secret" they are kept around for a time before and after the current message is delivered.

The most concerning thing there is that a compression change temporarily defeated the attack, which slightly implies the NSA has an analytical attack available against either 3DES or AES, though there are other less scary possibilities.

Sent from my iPad using Tapatalk HD

[anon62607]

You guys should read Ars Technica for a better Knowledge of what has been disclosed by Snowden.
I really fail to see how blackberry could be safe, if not accomplice.
They implemented backdoors in https, ssl and many other encryption systems, with the help of the vendors, or the certifications authorities.
They can decrypt often in real time...

Posted via CB10

The ars article and indeed the leaked slides themselves leave a lot to speculation. For example, the NSA might have broken one of the common ciphers such as RC4 (there is heavy speculation now that they have) and this would explain a lot of what's there. The attacks are several times mentioned to be fragile, meaning easy to protect against if you know what the attack specifically is. If you know never to use RC4 (which is used all over the place - it's frequently used in ssl / tls as the cipher and is fourth on the default list for ssh which is also mentioned to be attackable) then you can easily protect against these attacks.

Unfortunately it's still not easy to find what attacks the NSA might have available. There are suggestions now to avoid eliptic curve encryption as it might be particularly vulnerable to the NSA and in almost the same breath it's said to avoid public key cryptography that relies on factoring. You're quickly left with almost nothing on the public key side you can trust and if RC4, 3DES and AES are suspect to varying degrees and even blowfish should be avoided due to small block sizes there is very little out there to use.




Sent from my iPad using Tapatalk HD

[alan510]

So what would be the motivation behind the publishing of this article, coming as it does days before another Apple launch? Just wondering about the timing.

Posted via CB10

[anon62607]

So what would be the motivation behind the publishing of this article, coming as it does days before another Apple launch? Just wondering about the timing.

Posted via CB10

That's like asking why ProPublica and the New York Times decided to make public the latest snowden documents on Thursday.

The article was published about as quickly as it could have been written making use of the just released documents. Why would they delay publication because apple is about to launch a product?


Sent from my iPad using Tapatalk HD

[offyoutoddle]

so just as a quick question - if you run a bes10 server at home (I do), what traffic is encrypted from my blackberry back as far as my bes server? End to end email is not obviously, unless it is internal mail on the exchange server linked to the bes. But is all tcp traffic from the blackberry encrypted over bes, out via my carrier to the noc and back to my bes server? At this point it presumably emerges at my server and is once again 'in the clear'? Is that correct?