[Kawdess]

The Saudi regulatory official, who spoke on condition of anonymity because he was not authorized to discuss the details of the deal with the media, said tests were now under way to determine how to install a BlackBerry serve inside the country.

Saudi Says Deal Reached on BlackBerry Services - ABC News

[scorpiodsu]

So does this mean they will now have access to user's stuff being sent? If so then, that's taking away the very thing that good about blackberry. If I lived over there, I'd be looking to get another device asap. Even if it's flip phone.

[Reed McLay]

The first point is, all of the current news is based on a single, unnamed source within KSA Telecom.

The second point is, even if KSA security has full access to the encrypted data stream, they still can not decrypt BES security.

The Worlds security agencies are shaking in their boots. That last thing they want is this story getting traction because it highlights a security hole that they can do nothing about.

None of them can.

TECHNOLOGY - TECHNOLOGY - U.S. Selects a New Encryption Technique - NYTimes.com

the strongest flavor of Rijndael will require any brute-force decryption attempt to use as many combinations as 1,100 followed by 75 zeroes.

The standards institute estimates that today's computers would take approximately 149 trillion years to decrypt such a message. (The Big Bang, by comparison, is estimated to have occurred less than 20 billion years ago.) Mr. Kammer said that barring advances in so-called quantum computing that would render all notions of current computer power obsolete, the new standard should be effective for 30 years.

...

[WhoolioPreludee]

I knew RIM would bend over and eventually give in..... You give into one, all want the same. Better get some... rim.

Posted from my CrackBerry at wapforums.crackberry.com

[JRSCCivic98]

Translation... Proxy server in that area. You guys didn't actually think RIM was going to give them the middle finger and stick to the big talk Mike said, did you? The BB data network came back up yesterday because RIM gave in, not because the carriers in that area turned them back on. One thing you guys should learn and quick. The Arabs don't bluff. If they say they'll do something, they'll do it one way or another at one time or another. Only way to stop it is to stick to your own guns. Like it or not, dedication to sticking to your guns is what's liked in that area. You talk big and you walk big... if you can't, then you die trying. RIM doesn't have this sort of dedication... they do anything for money.

[TaZ52083]

Translation... Proxy server in that area. You guys didn't actually think RIM was going to give them the middle finger and stick to the big talk Mike said, did you? The BB data network came back up yesterday because RIM gave in, not because the carriers in that area turned them back on. One thing you guys should learn and quick. The Arabs don't bluff. If they say they'll do something, they'll do it one way or another at one time or another. Only way to stop it is to stick to your own guns. Like it or not, dedication to sticking to your guns is what's liked in that area. You talk big and you walk big... if you can't, then you die trying. RIM doesn't have this sort of dedication... they do anything for money.

Totally agree with your statement.

[K Bear]

Translation... Proxy server in that area. You guys didn't actually think RIM was going to give them the middle finger and stick to the big talk Mike said, did you? The BB data network came back up yesterday because RIM gave in, not because the carriers in that area turned them back on. One thing you guys should learn and quick. The Arabs don't bluff. If they say they'll do something, they'll do it one way or another at one time or another. Only way to stop it is to stick to your own guns. Like it or not, dedication to sticking to your guns is what's liked in that area. You talk big and you walk big... if you can't, then you die trying. RIM doesn't have this sort of dedication... they do anything for money.

You nailed it.

[avt123]

RIM doesn't have this sort of dedication... they do anything for money.

Exactly. Look at the way RIM is currently controlled by the carriers.

[Radius]

Exactly. Look at the way RIM is currently controlled by the carriers.

I don't get it, this is a bad thing?

All phones are controlled by the carriers, who do you think sells them and allows them to work?

I said it in another thread and I'll say it here, this whole USA thing is a NON-ISSUE. Why anyone cares is completely beyond me. They already monitor all other communications on other phones and regular phone calls on the BB, so what? I guess RI should give up half the global market to competitors and die so we can feel good about ourselves?

Feel good about what? Thank God they can't see BBM's, let's sit back and watch the latest YouTube video of a 14 year old being stoned to death for getting into a car without a male relative with her.

Sorry, but this whole "issue" is really sad and it's time we forgot about it.

[Jake Storm]

...You talk big and you walk big... if you can't, then you die trying. RIM doesn't have this sort of dedication... they do anything for money.

Civic, your swinging dyck attitude doesn't befit a lady.
There's nothing wrong with RIM catering to a large customer to make money.
This has no (zero, zilch, nada) affect on BB security in North America. Why is this an issue? Americans spend too much time worrying about how to make the middle east more like us.

[grover5]

Yeah what's up with the macho routine? Anyway Radius said it best and I couldn't agree more all the way down to the honor killing insanity...that's dedication I do not admire.

[JRSCCivic98]

Civic, your swinging dyck attitude doesn't befit a lady.
There's nothing wrong with RIM catering to a large customer to make money.
This has no (zero, zilch, nada) affect on BB security in North America. Why is this an issue? Americans spend too much time worrying about how to make the middle east more like us.

Say what? Where is this coming out of... left field? How do you come to this from what I said. What I said pertains to attitudes in that part of the world. RIM thought they could call their bluff and they couldn't. I find that funny. Also, there is no macho attitude here... I simply say it like it is. It's the truth. If it wasn't, you'd see suicide bombers give up before anything happened.

Anyway, we're way off topic here. So, back on topic.

Also, RIM doing stuff like this DOES jeopardize the credibility of RIM putting security beyond anything if you ask me. I don't care if BBs are secure or not, but the fact that RIM keeps saying that they are the most secure platform and then do this. This basically says: "Yep, we're secure... unless you show us some green... then we can bend our rules a little for you."


As for the carriers controlling the handset manufacturers... not all of them. Apple is basically on the reverse of this situation. AT&T entered into a contract that basically makes them a slave to Apple. I think this is really one of the reasons why we haven't seen an iPhone on Verizon. Verizon likes to dictate what their vendors should do for them. Apple's Steve doesn't ride that pony. He basically tells you to **** off and see things his way. If not, too bad... next. He's very arrogant and doesn't fold. Even the whole iPhone4 antenna issue. He has the never to point fingers to other handsets and then basically tells you to not hold the phone a certain way. I mean, it's arrogant, but you have to admire the guy's gall.

[L o r d R a j]

So does this mean they will now have access to user's stuff being sent? If so then, that's taking away the very thing that good about blackberry. If I lived over there, I'd be looking to get another device asap. Even if it's flip phone.

Get another device...

And what would that accomplish?
Everything else is monitored as it is. It's not like BlackBerry would be the ONLY device that is being monitored. ****, even the internet connections being used at homes and laptops are sniffed.

Getting another device really wouldn't solve anything, now would it?

[Jake Storm]

Say what? Where is this coming out of... left field? How do you come to this from what I said. What I said pertains to attitudes in that part of the world. RIM thought they could call their bluff and they couldn't. I find that funny. Also, there is no macho attitude here... I simply say it like it is. It's the truth. If it wasn't, you'd see suicide bombers give up before anything happened.

So, you think RIM should have "stuck to their guns" even after calling their bluff didn't work? Die trying eh?
WTF? That makes no sense from a business standpoint. Glad your not running my company!

... Apple's Steve doesn't ride that pony. He basically tells you to **** off and see things his way. If not, too bad... next. He's very arrogant and doesn't fold. Even the whole iPhone4 antenna issue. He has the never to point fingers to other handsets and then basically tells you to not hold the phone a certain way. I mean, it's arrogant, but you have to admire the guy's gall.

No you don't! People think he's a condescending ****, and contrary to "admiring his gall" I'll teach my kids to not behave like that.
Are you suggesting Balsille and Lazaridis go telling the Saudi government to **** off and see things their way, and when they call their bluff hold onto that arrogant attitude or "die trying"?
Unfortunately, Steve Jobs and what you suggest are admirable qualities, enforces the stereotypical view a lot of people have about Americans. I don't subscribe to that way of thinking because I have a lot of friends and family south of the Canadian border, but being an arrogant *** isn't always the best way to run a company. Remember Larry Ellison? He was an arrogant ***.

[i7guy]

You're right. In the end it's going to come to, whose phone is on the most insecure platform and whose platform is the easiest to monitor by government agencies.

They hit a homerun with the 9800 and OS6 and have got to keep up the momentum and not cower.

They are in a tough situation with these governments.

[Reed McLay]

It has been over 24 hours and some 2,600 News stories, there is still no credible source for this story.

The latest rewrites are still quoting:

an official from the Communications and Information Technology Commission’s technical department told Reuters. ...

The possibility exists, there is no story here. KSA Intelligence wants the World to think they are on top of their security.

Analysis: RIM seeks security solution not a fight | Reuters

BLACKBERRY NEVER BEFORE BANNED

Industry experts and analysts say it is unlikely anyone will ever learn how the company forged a compromise with countries seeking access to data that RIM says it has no way of intercepting.

"In the past, when people have made similar threats, either they withdrew completely, without RIM doing anything, or perhaps, behind the scenes, RIM was able to ... come up with a compromise that allowed everybody to go away happy. And that's never publicized," said Duncan Stewart, Deloitte Canada's director of research on technology, media and telecommunications.

"Of the very long list of people who have threatened to ban BlackBerries, nobody's actually done it, ever, not once, not even for a minute."

In a statement this week, RIM said that claims it has provided unique wireless services or access to any one country are "unfounded." [ID:nWEN8334]

"There is only one BlackBerry enterprise solution available to our customers around the world and it remains unchanged in all of the markets we operate in," the company said.

Aside from two brief statements and one interview, the tight-lipped company has been particularly quiet this week, only infrequently responding to media questions.

"In this case, given that you're dealing with geopolitical concerns, less is more. The less you say and the more you work toward a resolution and state it, the better," Mackie Research Capital Corp analyst Nick Agostino said.
...

[shabbs]

I don't see how putting a server in Saudi Arabia helps them snoop any more than before... the location does not matter, as per RIM's statement:

Source: The Official Word from RIM About BlackBerry Security and Data Access | BlackBerry Cool

"The location of data centers and the customer’s choice of wireless network are irrelevant factors from a security perspective since end-to-end encryption is utilized and transmissions are no more decipherable or less secure based on the selection of a wireless network or the location of a data center. All data remains encrypted through all points of transfer between the customer’s BlackBerry Enterprise Server and the customer’s device (at no point in the transfer is data decrypted and re-encrypted)."

I assume BIS follows similar architectural rules. Perhaps they just want to snoop on carrier-specific emails as opposed to [email protected] emails etc...?

[Exiled Bulldawg]

The first point is, all of the current news is based on a single, unnamed source within KSA Telecom.

The second point is, even if KSA security has full access to the encrypted data stream, they still can not decrypt BES security.

The Worlds security agencies are shaking in their boots. That last thing they want is this story getting traction because it highlights a security hole that they can do nothing about.

None of them can.

TECHNOLOGY - TECHNOLOGY - U.S. Selects a New Encryption Technique - NYTimes.com

RIM doesn't use that standard. PGP is still pretty much unbreakable, without a keylogger. It's amazing how secure a 512 bit key can be. And that is 10 year old technology. I haven't read about this new structure, however, I wonder what advantages over PGP it has. Definitely will be an interesting read.

BTW, for what it's worth, RIM's flaw is the same message can be captured encrypted and in the clear. And that is a major weakness for any encryption scheme.

[Reed McLay]

Rijndael was renamed to Advanced Encryption Standard (AES) after it was accepted into service by National Institute of Standards and Technology of the United States (NIST).

That 10 year old item turned up while I was searching for an example of how secure AES is.

Over a Hundred Trillion years of computer time to decrypt a single message puts the security of AES into perspective.

[Exiled Bulldawg]

I don't see how putting a server in Saudi Arabia helps them snoop any more than before... the location does not matter, as per RIM's statement:

Source: The Official Word from RIM About BlackBerry Security and Data Access | BlackBerry Cool

"The location of data centers and the customer�s choice of wireless network are irrelevant factors from a security perspective since end-to-end encryption is utilized and transmissions are no more decipherable or less secure based on the selection of a wireless network or the location of a data center. All data remains encrypted through all points of transfer between the customer�s BlackBerry Enterprise Server and the customer�s device (at no point in the transfer is data decrypted and re-encrypted)."

I assume BIS follows similar architectural rules. Perhaps they just want to snoop on carrier-specific emails as opposed to [email protected] emails etc...?

For the love of God, that is only true for communications that STAY on the same domain. If a Blackberry user on domain A sends a user on domain B a e-mail, that message is sent in the clear by necessity. Just how is server B going to know how to unencrypt the email or how is the device? Blackberry communications are only end to end encrypted on BES and WITHIN that framework. Beyond that, they are sent in the clear, like any other e-mail not specifically encrypted. So, where the router is allows for greater sniffing.

Simple cryptography. Not marketing. Cryptography. The only Blackberry specific application that might be true end to end encrypted would be Messenger. And that might be what's gotten the under various government's underoos.

As an aside, it is possible to send much more secure messages using different devices, not including straight use of RIM devices: PC's, iPhone, Android. The reason is how the encryption is done.

[Exiled Bulldawg]

Rijndael was renamed to Advanced Encryption Standard (AES) after it was accepted into service by National Institute of Standards and Technology of the United States (NIST).

That 10 year old item turned up while I was searching for an example of how secure AES is.

Over a Hundred Trillion years of computer time to decrypt a single message puts the security of AES into perspective.

Security is only possible if you protect the information from end to end. Blackberry only does that within a domain. Otherwise the data is decrypted and sent the same as any other communication. This idea communications through RIM are sacrosanct is childish at best. Only encryption from end to end is secure. Aside from intra domain traffic, RIM is not end to end encrypted. The encryption is enough to stop a casual attack, but not those by a government. Some government snooping I agree with. Some, Myanmar, Iran, Syria, DPRK, PRC, Zimbabwe, etc, I don't. People in these locations should never assume electronic communications are secure unless they take drastic efforts to thwart interception.

[shabbs]

For the love of God, that is only true for communications that STAY on the same domain. If a Blackberry user on domain A sends a user on domain B a e-mail, that message is sent in the clear by necessity. Just how is server B going to know how to unencrypt the email or how is the device? Blackberry communications are only end to end encrypted on BES and WITHIN that framework. Beyond that, they are sent in the clear, like any other e-mail not specifically encrypted. So, where the router is allows for greater sniffing.

Simple cryptography. Not marketing. Cryptography. The only Blackberry specific application that might be true end to end encrypted would be Messenger. And that might be what's gotten the under various government's underoos.

As an aside, it is possible to send much more secure messages using different devices, not including straight use of RIM devices: PC's, iPhone, Android. The reason is how the encryption is done.

So, a BES customer with Company A sends an email to a BES customer with Company B. Are you saying the message is sent in the clear/unencrypted somewhere between the two BES servers?

If that's the case then, would putting servers in Saudi Arabia as an "in between hop" before data is sent off to the servers back in Canada allow them to look at unencrypted data leaving the Saudi servers?

My curiosity is getting the better of me... will have to read up on their security architecture.

[shabbs]

Some interesting articles on what is and what is not encrypted...

FAQ: What Communication Is Encrypted on Your BlackBerry | BerryReview.com

FAQ: BlackBerry Messenger & PIN Messages are NOT Encrypted | BerryReview.com

[JRSCCivic98]

So, a BES customer with Company A sends an email to a BES customer with Company B. Are you saying the message is sent in the clear/unencrypted somewhere between the two BES servers?

If that's the case then, would putting servers in Saudi Arabia as an "in between hop" before data is sent off to the servers back in Canada allow them to look at unencrypted data leaving the Saudi servers?

My curiosity is getting the better of me... will have to read up on their security architecture.

What you guys don't realize is that BES IS NOT an email server. People constantly misunderstand this. BES is just a "middle-man" server that does enterprise security policy enforcement on a group of BBs registered under that BES and also interact with the onsite/enterprise email server to make email work to those mobile devices. In other words, without an email server of some kind (Exchange, Lotus Notes, etc.) onsite in the enterprise, BES isn't going to do anything for you in terms of email support.

So, when someone sends an email from the BB (even if on a BES with company A) to a person with a BB who's on BES with company B, the email traverses as follows:

BB->Carrier Network->Internet->Company A BES->Company A Email Server->Internet->Company B Email Server->Company B BES->Internet->Carrier Network->BB

Technically, the communication between BB and their respective company BESs should fall under BES encryption, but once that message leaves the BES server and hit the company email server, it's in clear text and then sent out as clear text via port 25 (SMTP) to the receiving end where it's again clear text until it hits the BES, which may or may not encrypt the message before forwarding it to the BB associated with that BES server.

Does that make better sense to everyone?

Also, I think I may be leaving out a hop in there between Carrier Network and Internet and Company BES. Somewhere in there is the trip through RIM's NOC. Also, technically speaking, all BES servers have a VPN like secure connection from the RIM NOC to the company's internet network. Basically, think of the BES as having it's own VPN tunnel back to RIM across the Internet cloud. If I'm right, these proxy servers the UAE wants put in will sit somewhere on the carrier network's side of things and give access to data aquired between BB->Carrier Network->Proxy Server->Internet->Company BES, or something very close to that. Technically speaking, the messages are still encrypted at that point, but there are unencrypted BES IDs and PIN IDs in the headers of the message or routing purposes through RIM's NOC which should be the additional hop between Internet and Company BES in the above path layout.

Someone correct me if I'm wrong...

[dpeters11]

So if one of my users visits Saudi Arabia and sends a message from his Blackberry, or a user sends email to a Blackberry on a Saudi Arabian carrier, and both are on BES, they'd only get the PIN and routing info. Right? Was this all they wanted? They're certainly not going to try to break all those encryption keys.