[Radius]

I still don't see the issue regardless. I suspect anyone that's ever seen a log of data transactions on an average company server would even care if their information was being stored as they know full well it takes a monumental effort to even see what one individual is doing.

It's real simple, give someone reason to look real hard at you and they will. Otherwise, don't worry about it.

[Steve Rizla]

This is a non-issue.

If you live in Saudi Arabia, your information will be monitored. If you don't live in Saudi Arabia but you BBM someone in Saudi Arabia, your information will be monitored.

If your message is about buying/selling oil or postcards, you have nothing to worry about.
If your message is about buying/selling bombs, then you have something to worry about.

You still have the option to not talk to shady people and you still have the option not to use a BlackBerry if this bothers you. This is no different than raising a red flag when the phone bill for your landline has a lot of calls to a known criminal.

[Reed McLay]

BlackBerry Messenger and PIN to PIN messages are NOT encrypted. They are scrambled using a global cryptographic key which EVERY BlackBerry in the world uses. BES administrators have the option to encrypt the body of PIN messages (but not the PIN itself) using a organization specific encryption key but that limits users to only be able to send PIN messages within the organization so it is usually not done. It is possible to use the S/MIME Package RIM sells to encrypt PIN to PIN messages but that gets complicated and is really only done by Government organizations.


There are a couple of problems with PIN to PIN messaging that is also the basis of BlackBerry messenger that you should know about. The Communications Security Establishment in Canada was kind enough to detail some of these issues:

•As said before PIN to PIN messages by default are NOT encrypted they are scrambled using a cryptographic key
•If an wireless carrier or government manages to reroute your PIN message to any other BlackBerry in the world by changing the header then it will be readable on that device
•Devices cannot be reused by another person since messages for that PIN will continue to come to the device for the original owner. Think of it this way. If you sell your BlackBerry the new owner will get your PIN messages. The sender would also have no idea that this is the case.
•You have no idea if the person sending you that PIN message has not sold their device or had it stolen by another person who is impersonating them.
•Even if an organization uses their BES with a organization specific PIN key the PIN number is still not encrypted and sent in the clear. That means a snoop could see who is sending messages back and forth.

Thanks to Shabbs for posting the link.

BlackBerry users should be aware of these issues, everywhere.

[shabbs]

Does that make better sense to everyone?

Thanks JRSCCivic98, I certainly appreciate the detail. I think the key is that once it hits the the BES Server, it's behind the company's corporate firewall and if traffic is leaving the BES un-encrypted to their corporate mail server, that is not a huge concern since it's not being transmitted over the Big Bad Internet at that point. Encrypting internal communications traffic would be up to the company to implement I would assume?

RIM has a nice pretty picture here:

BlackBerry - Wireless Data Security at BlackBerry.com

As does CB:

http://crackberry.com/blackberry-ent...er-bes-what-it

[shabbs]

Thanks to Shabbs for posting the link.

BlackBerry users should be aware of these issues, everywhere.

I found those two pretty interesting, especially the BBM and PIN-PIN info. I think it's important to distinguish between BES and BIS users and where encryption is actually applied. With BIS, everything transmits in the clear from RIM's point of view and the only protection is whatever wireless security a user's own Carrier implements. With BES, JRSCCivic98 gave a nice overview of where in the line stuff is encrypted, with the secure link being from BB Handheld --> BES Server as implemented by RIM's security architecture.

[Reed McLay]

A Saudi Arabian wireless operator said it’s waiting for instructions from the country’s regulator on whether to shut off Research In Motion Ltd.’s BlackBerry instant messaging service as a midnight deadline approaches.
...

Talks between RIM and Saudi authorities show signs of positive solutions, Al Arabiya television reported today, citing unidentified sources at wireless operators. Negotiators are weighing three alternatives, the Dubai-based channel said.

The first option is that RIM agrees to give the kingdom special servers that make users’ data available to Saudi authorities. The second choice is that the Canadian company grants Saudi telecom regulators “keys” to log into RIM’s main encrypted servers so that they can monitor data of Saudi phone company subscribers. The third alternative is that the regulator resorts to third-party companies to decipher BlackBerry messaging data.
...

RIM, Carriers Await Saudi Regulator's Call on BlackBerry Messaging Ban - Bloomberg

Even Bloomberg is citing made up sources.

"We are going to continue to work with them to make sure they understand the reality of the Internet," he said. "A lot of these people don’t have Ph.Ds, and they don’t have a degree in computer science."

[shabbs]

Is this all about keeping morals in check in Saudi Arabia?

BlackBerry Deal May Mean Flirting Gets Harder for Saudi Youth - Bloomberg

Interesting take on why they want access to the data.

[Reed McLay]

Saudi Arabia, Research In Motion Agree on BlackBerry Use, U.S. Says
...

“There are reports of an agreement between RIM and Saudi Arabia,” State Department spokesman Philip J. Crowley told reporters in Washington. He said department officials will meet with company officials today. “We’ll ask if it’s true, for particulars on how it was reached. We’ll see if we can’t be of assistance.” ...

Saudi Arabia, Research In Motion Agree on BlackBerry Use, U.S. Says - Bloomberg

[JRSCCivic98]

This is a non-issue.

If you live in Saudi Arabia, your information will be monitored. If you don't live in Saudi Arabia but you BBM someone in Saudi Arabia, your information will be monitored.

If your message is about buying/selling oil or postcards, you have nothing to worry about.
If your message is about buying/selling bombs, then you have something to worry about.

You still have the option to not talk to shady people and you still have the option not to use a BlackBerry if this bothers you. This is no different than raising a red flag when the phone bill for your landline has a lot of calls to a known criminal.

What if oil and postcards was code for plutonium and bombs? lol

[JRSCCivic98]

I found those two pretty interesting, especially the BBM and PIN-PIN info. I think it's important to distinguish between BES and BIS users and where encryption is actually applied. With BIS, everything transmits in the clear from RIM's point of view and the only protection is whatever wireless security a user's own Carrier implements. With BES, JRSCCivic98 gave a nice overview of where in the line stuff is encrypted, with the secure link being from BB Handheld --> BES Server as implemented by RIM's security architecture.

Yet RIM continues to sell people on the point that a Blackberry is more secure then any other mobile platform on the planet. Of course, they also tell you it's also the best email solution as well... all the time leaving out small details that prove to the contrary depending on specifics and/or configuration/application of their product. Hummm.... that's interesting.

[grahamf]

iirc the only thin that RIM's noc know is the point of origin, destination, type (BBM, Email/email-tie in), and length?

[shabbs]

So, the latest "rumour du jour" has RIM offering up the codes to provide access to their users' BBs. As per the following article... from an unnamed source...

New RIM offer to Saudis is BlackBerry 'codes'-source | Reuters

Not sure about this one, and what exactly is a "code" to the users' phones.

[Reed McLay]

By Souhail Karam and Asma Alsharif

RIYADH/JEDDAH, Saudi Arabia, Aug 10 (Reuters) - BlackBerry maker Research In Motion has agreed to hand over coveted "codes" to users' phones to try to avert a ban on its Messenger service in Saudi Arabia, an industry source familiar with the talks told Reuters on Tuesday.

The Canadian company declined to comment, referring media to its earlier statement in which it said: "RIM cooperates with all governments with a consistent standard."
...

"We are going to continue to work with them to make sure they understand the reality of the Internet," he said. "A lot of these people don’t have Ph.Ds, and they don’t have a degree in computer science."

Got your work cut out for you.

[grahamf]

I wonder if these were the codes:
9800: Blackberry Torch
9700: Blackberry Bold
9600: Blackberry Tour/Bold, CDMA
9500: Blackberry Storm
9300: Blackberry Curve 3G
9100: Blackberry Pearl 3G
9000: Blackberry Bold
8900: blackberry Curve
8800: Blackberry unnamed - business
8700: Blackberry unnamed - business
8500: Blackberry Curve
8300: Blackberry Curve
8200: Blackberry Pearl Flip
8100: Blackberry Pearl
etc

[pattste]

It seems pretty obvious that RIM is talking out of both sides of its mouth here. On the one side they're talking tough and claim they will not compromise security. On the other they make shady backroom deals to install servers in countries (even though they claimed just last week that the location of the servers didn't make a difference) and agree to give them "codes" (even though they claimed just last week that they didn't have such "codes" and that there was no backdoor). The only thing that we know for sure is that the despots and the tyranic regimes appear to be satisfied.

[shabbs]

It seems pretty obvious that RIM is talking out of both sides of its mouth here. On the one side they're talking tough and claim they will not compromise security. On the other they make shady backroom deals to install servers in countries (even though they claimed just last week that the location of the servers didn't make a difference) and agree to give them "codes" (even though they claimed just last week that they didn't have such "codes" and that there was no backdoor). The only thing that we know for sure is that the despots and the tyranic regimes appear to be satisfied.

I would not draw that conclusion just yet.... everything we've seen has been from "unnamed sources" and nothing from RIM. As for the tyranic regimes being satisfied... perhaps they've come to realize RIM ain't selling out and are backing down from their bluff.

Early days...

[Reed McLay]

I would not draw that conclusion just yet.... everything we've seen has been from "unnamed sources" and nothing from RIM. As for the tyranic regimes being satisfied... perhaps they've come to realize RIM ain't selling out and are backing down from their bluff.

Early days...

Plus One.

Tonights Global TV News carried the story.

RIM to share some BlackBerry codes with Saudis: Source

so the company changed course and offered the Interior Ministry and intelligence services the codes to all Saudi BlackBerry users, said the source, who was not authorized to speak about the talks and asked not to be named.

...

Kevin Newman, Canada's most trusted news reader, used at least three qualifiers in telling the story.... I laughed.

Interesting to note, NBC News won't touch this story.

[Jake Storm]

It seems pretty obvious that RIM is talking out of both sides of its mouth here....

Really? It doesn't seem that obvious to me.
In fact RIM has been professional enough not to talk about any business deals until they are completed... if in fact there are any deals.
You're getting excited about unconfirmed information from unknown sources.

[hoong]

This really is a non issue, RIM just put the server there to silence the UAE, no matter how many servers you put in between, you still have a secure pathway back to your company intranet via BES.

When you travel to Asia, eg Hong Kong and send email to your colleague back in the States, the data needs to go thru dozens of gateway (servers), the data is encrypted and only can be decrypted by the home server with the key.

Sure, all encryption is breakable provided the time and CPU power invested in it, and using triple DES is much saver than SSL 128bit. And company change key once or every 2 years to make it harder to keep up.

[JRSCCivic98]

I would not draw that conclusion just yet.... everything we've seen has been from "unnamed sources" and nothing from RIM. As for the tyranic regimes being satisfied... perhaps they've come to realize RIM ain't selling out and are backing down from their bluff.

Early days...

lol, RIM doesn't tell you why a Blackberry outage happens when it happens. Do you honestly think they'll tell you anything about such dealings?

I'll agree that we seem to be getting a "two-faced" view of RIM currently. They're so scared that they'll lose market share that they'll do ANYTHING to keep/secure it... ANYTHING. That's not good in my book.

[hoong]

Actually this whole shebang is not about RIM not being secure, but instead UAE fear their internal data being routed out of their country, and country like US or Canada can snoop it, hence the national security problem to UAE. Despite RIM telling them no one outside from the key holder can decrypt the content, don't make them feel good enough.

With a server in UAE, data targeted back to UAE don't have to route to Canada for distribution back to UAE, they can just distribute the data within UAE soil, this is their main concern.

[JRSCCivic98]

Then why are there articles stating that UAE officials (anonymous) told news outlets that RIM is handing over "decryption codes" to them? Honestly, here's a better solution to this... stop using BBs and you don't have to worry about your data being proxied in another country (i.e. Canada). ALL other Smartphones on the market use standard TCP/IP non-proxied data transfers similar to that of a standalone PC on the web. Simple as that... I told you guys a couple of years ago RIM's NOC infrastructure was going to come back and bite them in the bud sooner or later... and now it's happening.

[hoong]

Other non blackberry devices uses standard TCP/IP to connect back to the server and some via SSL for encryption, they still got routed by gateways, but if your data is local, the data never get routed out of country.

There's a problem with TCP/IP connection, and the problem is the device needs to maintain the connection open, when the device holder travels around and the IP change, the device needs to establish new connection again. And all this background connection will drain battery and not "efficient" as claim by RIM.

Hence RIM use PIN to identify the devices and not IP addresses because PIN is static. And only RIM NOC know how to distribute those data based on the PIN and then will push to the carrier and to the devices.

[Reed McLay]

Then why are there articles stating that UAE officials (anonymous) told news outlets that RIM is handing over "decryption codes" to them? Honestly, here's a better solution to this... stop using BBs and you don't have to worry about your data being proxied in another country (i.e. Canada). ALL other Smartphones on the market use standard TCP/IP non-proxied data transfers similar to that of a standalone PC on the web. Simple as that... I told you guys a couple of years ago RIM's NOC infrastructure was going to come back and bite them in the bud sooner or later... and now it's happening.

Canada is the only nation on the Planet that can be trusted to host the NOC.

We witnessed a Global BlackBerry outage last December. That can only happen if there is a single NOC.

If we belive the statements issued by Research in Motion, each one of the hosting nations have bought into the concept of secure communications. America, Russia and China have seen the light and appreciate the value that strong encryption brings to the table. It is the top level of government that gets them first.

[JRSCCivic98]

Other non blackberry devices uses standard TCP/IP to connect back to the server and some via SSL for encryption, they still got routed by gateways, but if your data is local, the data never get routed out of country.

There's a problem with TCP/IP connection, and the problem is the device needs to maintain the connection open, when the device holder travels around and the IP change, the device needs to establish new connection again. And all this background connection will drain battery and not "efficient" as claim by RIM.

Hence RIM use PIN to identify the devices and not IP addresses because PIN is static. And only RIM NOC know how to distribute those data based on the PIN and then will push to the carrier and to the devices.

Ya, I know how that works. Also, a BB still has an IP address from the carrier... how else do you think it has data connectivity to their network. lol

Anyway.... battery efficiency left aside, I still prefer a non-proxy based device if I had the choice of handsets to pick without having to be limited by carrier exclusivity issues and crappy carriers to choose from.

Canada is the only nation on the Planet that can be trusted to host the NOC.

We witnessed a Global BlackBerry outage last December. That can only happen if there is a single NOC.

If we belive the statements issued by Research in Motion, each one of the hosting nations have bought into the concept of secure communications. Russia and China have seen the light and appreciate the value that strong encryption brings to the table. It is the top level of government that gets them first.

How about we just get rid of the NOC completely? Make the BB device capable of working both as NOC hosted and not. That way it's up to the user as to how they have their device configured and THEY choose how their security works. If they choose proxy based, they can benefit from better battery life and current other benefits. If they choose direct connect, then they choose to deal with more data usage and worse battery life. I can tell you this... from what I've seen on the BB platform from chat programs and other apps that hold a constant data connection open, a BB's battery gets killed off way faster in this configuration then any other Smartphone on the market that works the same way. I believe that if RIM was to flip the switch on all BBs and make them work as hard as other Smartphones do now, we'd see battery life fall so hard, you wouldn't be able to use a BB but for a few hours before a charge was required.

Trust me on this one... a chat program I had installed on an old 8830 that wasn't push based, but kept a constant keepalive connection to the various chat servers (i.e. MSN, Yahoo, AIM, etc.) killed the battery on that device in a few hours easy. It was slightly worse then if you were on the phone the entire time... yes, that bad.