01-06-14 01:03 PM
36 12
tools
  1. rthonpm's Avatar
    Effective intelligence gathering requires two things:

    1. A means to intercept data
    2. The means to process and decode that data in a timely manner.

    Even if BES transmissions were to be hacked, if it takes a 'sustained TAO operation', how much time would it take to break the encryption? Let's say it takes months at a conservative measure, by that time the value of a good deal of information would be useless except for filling in outdated information or trying to make better projections, but the on the ground value is very little, especially in the government world where processes and procedures change quite rapidly.
    Sith_Apprentice likes this.
    01-06-14 09:57 AM
  2. Omnitech's Avatar
    For me what strikes the most is the range of tools available to the NSA. They sure have the resources and the man power.

    It proves that privacy, liberties and civil rights are non-existent in technology.

    First of all, when people start claiming "everything is snoopable/crackable", most people making such sweeping statements have no clue about technical details. If they did, it would be an irresponsible statement.

    Secondly, there is no doubt whatsoever that the NSA has far more resources at their disposal than any other governmental SIGINT operation. So just because the NSA might be able to get something, doesn't mean everyone else in the world can. (Just to start out with, it happens to be awfully convenient that the vast majority of the online service vendors and manufacturers of internet infrastructure hardware happen to be based in the USA. That certainly makes matters much more convenient for the NSA when it comes time to snoop on things.)

    As far as privacy, liberties and civil rights being "non-existent in technology", that's nonsense.

    It MIGHT in fact be scarily more true than we would like, or that most laypeople realized realized prior to the Snowden revelations. But this is not a foregone conclusion. There are already many efforts underway not only to potentially reign-in what the NSA is doing governmentally, but various entities and individuals in the technology field have begun to engage in a process of working on "NSA-proofing" the online world as a result of these revelations. Because clearly many people (including myself) are convinced that it has gone too far. And it IS possible to reign this in.

    In fact, in a way the Snowden revelations may be a blessing in disguise. If the USA can demonstrate that it has the character and resolve as a nation to do the right thing and reign-in an agency that has gotten way out of hand the last 10 years or so, it will serve as a beacon and example to the rest of the world and a warning of what could happen in other countries. And it will give the USA the moral standing to press for reforms about such matters all around the world, whereas at the present time (even BEFORE the Snowden revelations), the USA's complaints about foreign governmental and geopolitical cyber-snooping and cyber-warfare have come off as hypocritical nonsense.



    BlackBerry should take this opportunity to increase its security not just on BES and the standalone phone but also in the communications itself, an end to end solution.....at least between BlackBerry devices.

    Perhaps you forget that BlackBerry is one of the largest vendors of secure communications products to agencies like the NSA and the CIA and other governmental and military organizations around the world.

    BlackBerry is not particularly inclined to go around crowing about "NSA resistance" in their products because the NSA is one of they key customers.
    01-06-14 11:20 AM
  3. Omnitech's Avatar
    If BES relies significantly on Exchange to distribute information accordingly, then I can definitely see how any unauthorized user could subvert Windows and Exchange to get the information they need. But with such an insecure base to rely on, namely Windows and Exchange security, doesn't this make the way BES communicates just as inherently insecure?
    In order to have a useful product that will interoperate with the popular enterprise email and groupware systems that are commonly in use today, BES has to be compatible with them. If those platforms are inherently weak, there is only so much BES can "fix" that for them.

    Sometimes being "compatible" is vastly more straightforward if you share the same OS platform. One also has to consider that one could not necessarily assume that the people operating the BES system (typically the same staff operating the rest of the organization's email or groupware infrastructure) would be familiar with some esoteric OS platform that BlackBerry might choose simply to make it theoretically more secure. I think it's a practical matter to build it on mostly the same sort of platform that their target customers are already running the rest of their email/groupware infrastructure on, because their staff will by definition be experienced administrators of that platform.
    01-06-14 11:33 AM
  4. Omnitech's Avatar
    "They infiltrated networks of European telecommunications companies and gained access to and read mails sent over Blackberry's BES email servers, which until then were believed to be securely encrypted. Achieving this last goal required a "sustained TAO operation," one document states."

    There's only a very vaguely-worded half sentence, right after stating they have infiltrated EU communication networks, about being able to read emails "sent over" BES servers and that it required a sustaoned operation - this is pretty far from cracking BES itself. Had they done it they 1. wouldn't need to hack into every comm networks and 2. they wouldn't need to keep doing it.
    To me it sounds like they figured out some man-in-the-middle hack, likely as a result of some lousy config somewhere along the line (BES itself could be using weaker crypto ie other than AES256, long considered insecure.)

    Even if BES transmissions were to be hacked, if it takes a 'sustained TAO operation', how much time would it take to break the encryption?


    Remember that one of the key Snowden revelations is that the NSA has been compromising SSL transmissions - most likely by spoofing X.509 certificates or Certificate Authorities. It's quite possible that this is all that is going on. Re: this "sustained TAO operation" - if I'm not mistaken the TAO group within NSA focuses on exploits, not mathematical code-breaking.

    Regarding SSL compromise - the heinous thing about that is - that if they are actually convincing the organizations whose primary function is supposed to be to provide a 100% guaranteed global verification of the authenticity of a certificate and certificate-holder, what they have actually done is completely undermined the entire foundation of online data security. If all it takes is the NSA asking Verisign to make them a phony certificate that allows them to impersonate Google - then the whole jig is up. The entire concept of a "trusted certificate authority" is now 100% bunk and EVERYTHING is at risk.

    What many have pointed-out about this - is that by doing this kind of thing as it indeed appears they have done - they have completely undermined the security of the whole world, including for Americans, for years to come.

    This is the kind of thing only pompous assholes would try to pull, people who basically think that they "walk on water". It is the height of arrogance and self-serving irresponsibility.
    clickitykeys likes this.
    01-06-14 11:33 AM
  5. vrud's Avatar
    Regarding SSL compromise - the heinous thing about that is - that if they are actually convincing the organizations whose primary function is supposed to be to provide a 100% guaranteed global verification of the authenticity of a certificate and certificate-holder, what they have actually done is completely undermined the entire foundation of online data security. If all it takes is the NSA asking Verisign to make them a phony certificate that allows them to impersonate Google - then the whole jig is up. The entire concept of a "trusted certificate authority" is now 100% bunk and EVERYTHING is at risk.
    Wait a minute. Can't privately owned BES generate its own SSL certificates to be used for email transport?
    What you describe above looks to be applicable to public domains only (such as Google) but can't compromise enterprise email security, can it?
    01-06-14 12:00 PM
  6. Sith_Apprentice's Avatar
    Wait a minute. Can't privately owned BES generate its own SSL certificates to be used for email transport?
    What you describe above looks to be applicable to public domains only (such as Google) but can't compromise enterprise email security, can it?
    SSL isnt used for Email. SSL is used for the console websites, and yes you can generate a self signed cert. AES256 (or better) is used for email transport.
    vrud likes this.
    01-06-14 12:13 PM
  7. Omnitech's Avatar
    There are also allegations that NSA may have "special knowledge" about AES weaknesses that is not public information.

    It's pretty much assumed that this is the case with the DUAL_EC_DRBG random number algorithm, but some people also suspect NSA may have tricks or exploits to weaken the strength of AES as well.

    This is why various independent security-conscious organizations are starting to drop AES and only use open-source / non-gov-affiliated encryption protocols until there is more assurance that there isn't some "secret compromise" of AES.


    https://threatpost.com/silent-circle...lations/102452
    Non-NIST Cipher Suite | Silent Circle Blog
    vrud likes this.
    01-06-14 12:36 PM
  8. Sith_Apprentice's Avatar
    There are also allegations that NSA may have "special knowledge" about AES weaknesses that is not public information.

    It's pretty much assumed that this is the case with the DUAL_EC_DRBG random number algorithm, but some people also suspect NSA may have tricks or exploits to weaken the strength of AES as well.

    This is why various independent security-conscious organizations are starting to drop AES and only use open-source / non-gov-affiliated encryption protocols until there is more assurance that there isn't some "secret compromise" of AES.


    https://threatpost.com/silent-circle...lations/102452
    Non-NIST Cipher Suite | Silent Circle Blog
    NSA has published whitepapers on ECC and why it would be prudent to go from AES to ECC where possible


    http://www.nsa.gov/business/programs...ic_curve.shtml

    and of course...

    BlackBerry Purchases Certicom
    01-06-14 12:38 PM
  9. Omnitech's Avatar
    NSA has published whitepapers on ECC and why it would be prudent to go from AES to ECC where possible


    The Case for Elliptic Curve Cryptography - NSA/CSS

    and of course...

    BlackBerry Purchases Certicom

    Yeah I've posted many times here about the Certicom/BBRY/NSA relationship.

    There are various logical arguments in favor of ECC, but the Scientologists at first tell you they're just trying to sell you a self-help book, too.

    Here's an interesting doc I found and linked in another post here recently:

    http://www.certicom.com/pdfs/FAQ-The...eAgreement.pdf

    It seems that Certicom still fully maintains its independent website at www.certicom.com.
    jxnb likes this.
    01-06-14 12:51 PM
  10. Sith_Apprentice's Avatar
    Yeah I've posted many times here about the Certicom/BBRY/NSA relationship.

    There are various logical arguments in favor of ECC, but the Scientologists at first tell you they're just trying to sell you a self-help book, too.

    Here's an interesting doc I found and linked in another post here recently:

    http://www.certicom.com/pdfs/FAQ-The...eAgreement.pdf

    It seems that Certicom still fully maintains its independent website at www.certicom.com.
    I believe they are like QNX, their own entity under the BlackBerry umbrella. Dont quote me on that as I cannot find the source at the moment.
    jxnb likes this.
    01-06-14 12:54 PM
  11. Omnitech's Avatar
    I believe they are like QNX, their own entity under the BlackBerry umbrella. Dont quote me on that as I cannot find the source at the moment.
    I was just poking around, it's almost a bit creepy - all the corporate info pages at the certicom website get either a 404 error or the news stops in 2009 before the acquisition, and a search for "certicom" on BlackBerry's website returns almost nothing, as does Googling "certicom site:blackberry.com".

    WooOOOOooooOOOOoOOOOOOoOooOOoooooo...
    jxnb and Sith_Apprentice like this.
    01-06-14 01:03 PM
36 12

Similar Threads

  1. Will security be compromised
    By CoquiPeru in forum Legacy Leaked/Beta OS
    Replies: 5
    Last Post: 01-08-14, 07:39 PM
  2. Can a Blackberry be compromised??
    By localexpat in forum General BlackBerry Discussion
    Replies: 6
    Last Post: 12-31-13, 07:28 PM
LINK TO POST COPIED TO CLIPBOARD