02-13-14 10:34 PM
106 ... 2345
tools
  1. badiyee's Avatar
    Wow after reading this part I realized that it's somehow not safe to use a blackberry because of the back doors out there...

    "In BlackBerry?s case, an NIST fact sheet shows the company implemented the algorithm as part of its cryptography toolkit for its BlackBerry 10 Enterprise service, among other products. But BlackBerry?s relationship with Dual_EC is even closer than other companies. In 2009, the company purchased Certicom ? in the process acquiring the patent that forms the basis for the Dual_EC algorithm.

    Given the company?s adamant denials in recent years that it offers backdoor access to intelligence agencies, critics argue BlackBerry owes its customers and shareholders an explanation.

    ?While it is true that many engineers and others were aware of this compromised algorithm, and the engineering security community as a whole is now dealing with this apparent lack of integrity among its members, in the case of BlackBerry?s knowledge of the backdoors the implications are far more serious,? said Ronald Deibert, director of the Citizen Lab at the University of Toronto?s Munk School of Global Affairs. ?Users of BlackBerry the world over ? must now assume without evidence to the contrary that all of their communications are shared with security services, and possibly industry competitors as well.?

    BlackBerry did not respond to a request for comment for this story."

    Posted Via CB10 Running On Z10STL100-2 Using OS Version 10.2.1.1925
    Can you elaborate how is it you came to "realize" that it wasn't safe to use a BlackBerry?

    You know, I find fault with some of the statements.

    But BlackBerry?s relationship with Dual_EC is even closer than other companies.
    Problem was, BlackBerry stopped using it, or never used it, or only used partial parts of it, and came up with their own implementation. The patent belonged to Certicom. I'm sure nobody wanted BlackBerry to just use another algorithm and risk probably getting sued right? So what is the closeness apart from Certicom being acquired by RIM? Nothing. Companies take over companies, their assets and liabilities. Are you saying that BlackBerry must not buy Certicom because somehow they KNEW?

    I've got a question, apart from interview against 3rd party so called "wizards" and "experts", (to me sounds more like lizards and expireds), what concrete proof does anyone have to say that

    a) BlackBerry knew this all along BEFORE purchase (which is the core of the argument is BlackBerry masterminding this? To which I find the possibility is near zero)

    b) after buying Certicom, and having all that blame and buck passed to BlackBerry, despite claims of the Dual EC eliptical curve algorithm that's supposedly has a backdoor, has a proven public exploit of the key used against a BlackBerry device? (because if this is true, then there are 2 repecurssions on BlackBerry, that 1, its security is breached, and 2, they did NOTHING to patch over it, to which, I think the answer was they stopped / did not use it, which is also a solution in entirety)

    c)
    Users of BlackBerry the world over ? must now assume without evidence to the contrary that all of their communications are shared with security services
    So we are going to assume BlackBerry is guilty unless proven innocent, over what an interview over a hearsay only over again another hearsay over a piece written opinion on a tabloid which was plagiarized from a opionated blog which claimed that BlackBerry is the mastermind behind the NSA's hack your phone attempts, who the author could not even establish factual integrity via a timeline check?

    Wow, guilty until proven innocent. Wow.... Just wow.

    *clap clap clap clap clap*

    All hail the court of jesters, the opionion court of people.

    had Edward Snowden wrote that and posted a document about presentation being made, I would be more willingly to buy it since he used to be with the NSA. Now we've got a guy who happens to be a director and suddenly his words are infallible. What happened to "question", "verification"?

    at least its not like Google who kept denying they keep farming your data 8 times a day, and Apple farms your data 4 times a day, even when when caught red-handed.
    01-21-14 03:18 PM
  2. ryanza's Avatar
    Was this article published before or after BlackBerry bashed Samsung Knox security recently? If my memory serves me right a statement about Samsung Knox was made this week or last week.

    Posted via CB10
    Last edited by ryanza; 01-21-14 at 11:53 PM.
    01-21-14 11:39 PM
  3. Superfly_FR's Avatar
    Was this article published before or after BlackBerry bashed Samsung Knox security recently? If my memory serves me right a statement about Samsung Knox was made this week or last week.

    Posted via CB10
    Before.
    Timeline : Blog - Article - Answer.
    01-22-14 03:23 AM
  4. Superfly_FR's Avatar
    Wow after reading this part I realized that it's somehow not safe to use a blackberry because of the back doors out there...

    "In BlackBerry?s case, an NIST fact sheet shows the company implemented the algorithm as part of its cryptography toolkit for its BlackBerry 10 Enterprise service, among other products. But BlackBerry?s relationship with Dual_EC is even closer than other companies. In 2009, the company purchased Certicom ? in the process acquiring the patent that forms the basis for the Dual_EC algorithm.

    Given the company?s adamant denials in recent years that it offers backdoor access to intelligence agencies, critics argue BlackBerry owes its customers and shareholders an explanation.

    ?While it is true that many engineers and others were aware of this compromised algorithm, and the engineering security community as a whole is now dealing with this apparent lack of integrity among its members, in the case of BlackBerry?s knowledge of the backdoors the implications are far more serious,? said Ronald Deibert, director of the Citizen Lab at the University of Toronto?s Munk School of Global Affairs. ?Users of BlackBerry the world over ? must now assume without evidence to the contrary that all of their communications are shared with security services, and possibly industry competitors as well.?

    BlackBerry did not respond to a request for comment for this story."

    Posted Via CB10 Running On Z10STL100-2 Using OS Version 10.2.1.1925
    Twice false.
    BlackBerry isn't using this technology. And they answered, later.

    Reactive Media Statement
    "BlackBerry does not use the Dual EC DRBG algorithm in our products. We work closely with certification authorities around the world to validate the security of our products, and remain confident in the superiority of our mobile platform for customers using our device and enterprise server technology. BlackBerry public statements and principles have long underscored that there is no 'back door' to our platform. Our customers can rest assured that BlackBerry mobile security remains the best available solution to protect their mobile communications."
    There's no backdoor, besides the one in the initial blog post, leading to competitor(s) strugling for their survival in the enterprise market. FWIW, given the unusual tune of the latest Knox bashing, I speculate it's a tit for tat ...
    01-22-14 03:28 AM
  5. R Field's Avatar
    Huge hedge fund managers have influence over media outlets. Keep that stuff in mind. Anyways regarding the article itself and a actual statement to the public. You'll likely see it addressed or dispelled further sometime soon.

    Strange Connection between NSA and Ontario Tech firm [Globe]-sec.jpg
    Superfly_FR likes this.
    01-22-14 05:23 AM
  6. ArmedHitman's Avatar
    Was this article published before or after BlackBerry bashed Samsung Knox security recently? If my memory serves me right a statement about Samsung Knox was made this week or last week.

    Posted via CB10
    Samsung Knox is just ****... Filled with vulnerabilities because the base is made of android which is also filled with holes.

    Posted via CB10
    R Field likes this.
    01-22-14 07:06 AM
  7. trsbbs's Avatar
    It's not so much that Blackberry is directly subverting cryptography standards, but rather I feel the problem here is two-fold:

    1) They purchased Certicom after Dual_EC_DRNG had already been found to be compromised, and Blackberry, to this day, hasn't done anything about it. I'd even go so far as to say that they'd rather simply turn a blind eye to the issue instead of addressing it.
    2) The backdoor has knowingly been introduced into Blackberry's BES services, which are supposed to exist at the top echelon of security-based communication.

    So the problem isn't so much BBRY creating the subversion themselves, but rather knowingly allowing the problem to perpetuate itself, insofar as to compromise their own BES services.
    BlackBerry needs to comment on this and work toward making BlackBerry secure once more.
    Disappointing. But then that's BlackBerry.

    CB10 via Verizon Z10. 10.2.1.1925
    01-22-14 07:30 AM
  8. Superfly_FR's Avatar
    1) They purchased Certicom after Dual_EC_DRNG had already been found to be compromised, and Blackberry, to this day, hasn't done anything about it. I'd even go so far as to say that they'd rather simply turn a blind eye to the issue instead of addressing it.
    2) The backdoor has knowingly been introduced into Blackberry's BES services, which are supposed to exist at the top echelon of security-based communication.
    1) Certicom is not a single patent company. The Dual_EC_DRNG in one of many and there's probably interactions between them in a IR protection sense, aka the ECC as a whole.
    2) I'm nowhere sure neither your claim than the blog/globe one are legit. BlackBerry statement clearly denies this. Do you have any factual check about his ?
    rthonpm likes this.
    01-22-14 09:08 AM
  9. rthonpm's Avatar
    1) Certicom is not a single patent company. The Dual_EC_DRNG in one of many and there's probably interactions between them in a IR protection sense, aka the ECC as a whole.
    2) I'm nowhere sure neither your claim than the blog/globe one are legit. BlackBerry statement clearly denies this. Do you have any factual check about his ?
    This is the first sensible comment in this thread. People just love putting on tin foil hats: one post and all of a sudden BlackBerry isn't secure and has had a major conspiracy to allow security organisations access to encryption keys.

    Encryption and security is a complex issue and setting a password on a wifi network doesn't give someone the knowledge to properly comment on anything in this article. I'd rather hear from two experts in the security field than any of the Chicken Littles bouncing around terms they don't completely understand.

    The bulk of the people on these forums should be more concerned with the data they're freely giving away to Google, Facebook, foursquare, and all of the other social apps rather than worrying about a bunch of mathematical equations that they don't understand.

    Posted via CB10
    01-24-14 04:49 AM
  10. greggebhardt's Avatar
    Anyone who does not thing that the NSA does not have COMPLETE access to their Blackberry is in DENIAL!
    qwerty4ever and milo53 like this.
    01-24-14 07:16 AM
  11. SmellWhole's Avatar
    Anyone who does not thing that the NSA does not have COMPLETE access to their Blackberry is in DENIAL!
    Don't be silly. Are you saying that without physical access to the handset the NSA can remotely access pics, password keeper, and files from a locked and encrypted BBOS BlackBerry? Even with physical access, the NSA (or anyone) would need to remove the BlackBerry's memory chip, successfully extract its data, and decrypt the data in order to get to those things.
    01-24-14 07:30 AM
  12. ArmedHitman's Avatar
    Don't be silly. Are you saying that without physical access to the handset the NSA can remotely access pics, password keeper, and files from a locked and encrypted BBOS BlackBerry? Even with physical access, the NSA (or anyone) would need to remove the BlackBerry's memory chip, successfully extract its data, and decrypt the data in order to get to those things.
    You make it sound easy loool
    01-24-14 06:39 PM
  13. Gator99's Avatar
    There is a turning point where a nations citizens say enough is enough. We (here in Canada at least), are not at that point. That's not to say it won't happen or can't happen. The middle east is a perfect example of where it has happened. As long as the government never crosses that line, and switches from protecting us to controlling us, that's good enough for me. Mind you, if I were a criminal.... then forget that.

    Sent from the future on my ? Z10
    01-24-14 09:13 PM
  14. qwerty4ever's Avatar
    In this day and age not using electronic communication of some type makes you a suspicious person to the government.

    Posted with CB10 running on BlackBerry Q5
    01-24-14 10:01 PM
  15. SmellWhole's Avatar
    In this day and age not using electronic communication of some type makes you a suspicious person to the government.
    To a government that sucks. I don't really care if my **** government is suspicious of me. I'm suspicious of it!
    qwerty4ever likes this.
    01-24-14 10:13 PM
  16. qwerty4ever's Avatar
    I can understand folks being upset if it were actually true that BBRY knew of a backdoor
    Do you think BlackBerry management give a hoot about your communications being secure and unencryptable?

    Posted with CB10 running on BlackBerry Q5
    01-24-14 10:18 PM
  17. badiyee's Avatar
    Do you think BlackBerry management give a hoot about your communications being secure and unencryptable?

    Posted with CB10 running on BlackBerry Q5
    depending on your answer, i would like to request your burden of proof. On either argument. BIS or without BIS, BES or without BES.
    01-25-14 09:05 PM
  18. qwerty4ever's Avatar
    depending on your answer, i would like to request your burden of proof. On either argument. BIS or without BIS, BES or without BES.
    BIS uses a common public-private key-pair for all subscribers and BlackBerry holds the master key. BES uses an unique public-private key-pair but the organisation can be legally compelled to turn over the keypair to law enforcement. I doubt any business is prepared to issue a self-destruct command to their BES server(s) and tell law enforcement to go play in the slop trough.

    Posted via the BlackBerry Q5 using CB10.
    02-04-14 04:56 AM
  19. _dimi_'s Avatar
    BIS uses a common public-private key-pair for all subscribers and BlackBerry holds the master key. BES uses an unique public-private key-pair but the organisation can be legally compelled to turn over the keypair to law enforcement. I doubt any business is prepared to issue a self-destruct command to their BES server(s) and tell law enforcement to go play in the slop trough.

    Posted via the BlackBerry Q5 using CB10.
    So if BES is installed, a company should be protected against anybody but their own government? Meaning other governments, competitors, hackers,... can't get to info that runs through a BES server?
    02-04-14 05:38 AM
  20. Richard Buckley's Avatar
    So if BES is installed, a company should be protected against anybody but their own government? Meaning other governments, competitors, hackers,... can't get to info that runs through a BES server?
    Correct. This is what BlackBerry has always stated. The keys are exchanged between the server and device in a secure way, similar to what web browsers and web servers do.
    _dimi_ likes this.
    02-07-14 07:53 AM
  21. qwerty4ever's Avatar
    Correct. This is what BlackBerry has always stated. The keys are exchanged between the server and device in a secure way, similar to what web browsers and web servers do.
    Given that EEC has been compromised by the US NSA your claim is no guarantee of security against unwarranted snooping. The only sure way to protect your BlackBerry smartphone activated on a BlackBerry Server is a kill switch which remotely wipes every smartphone before wiping the BES instance itself. Naturally, the mailstores on Microsoft Exchange Server must be wiped and all backups stored in encrypted form off-site. Your government, in any country, does not exist to serve your interests, only their own.

    Posted via the BlackBerry Q5 using CB10.
    02-07-14 06:29 PM
  22. Richard Buckley's Avatar
    Given that EEC has been compromised by the US NSA your claim is no guarantee of security against unwarranted snooping. The only sure way to protect your BlackBerry smartphone activated on a BlackBerry Server is a kill switch which remotely wipes every smartphone before wiping the BES instance itself. Naturally, the mailstores on Microsoft Exchange Server must be wiped and all backups stored in encrypted form off-site. Your government, in any country, does not exist to serve your interests, only their own.

    Posted via the BlackBerry Q5 using CB10.
    First what is suspected of being compromised is the Dual Elliptic Curve Deterministic Random Number Generator. And then only using a specific curve. Use another curved and the problem goes away. Anyone who knows about cryptography has known this for a long time. They also know it is slower than the other three recommend DRNGs. Which is why almost no one uses it. BlackBerry has stated that they don't use the DECDRNG. Many libraries implement it, including OpenSSL. Only RSA is known to use it by default, and even in their implementation it can be turned off. Only RSA, not BlackBerry or OpenSSL, is known to have taken $10,000,000 to make it the default.

    http://arstechnica.com/security/2014...lion-nsa-deal/
    Posted via CB10
    Last edited by Richard Buckley; 02-07-14 at 09:04 PM. Reason: Add link to Bruce Schneier Nov 15, 2007 article.
    02-07-14 08:30 PM
  23. qwerty4ever's Avatar
    BlackBerry has stated that they don't use the DECDRNG.
    Posted via CB10
    BlackBerry management has made many statements which turned out to be blatantly false. Unless the source code can be reviewed we have to trust BlackBerry.

    Posted via the BlackBerry Q5 using CB10.
    02-08-14 06:22 AM
  24. Richard Buckley's Avatar
    BlackBerry management has made many statements which turned out to be blatantly false. Unless the source code can be reviewed we have to trust BlackBerry.

    Posted via the BlackBerry Q5 using CB10.
    Yes, of course you do. Or you could trust Apple, Microsoft or Google + whoever made the hardware. If you don't trust BlackBerry I can find some one to take your Q5 off your hands.

    We do know the cost of RSA's trustworthiness though. I suppose it depends on the set of your tinfoil hat.

    Edit: And open source software is not necessarily more secure. Even though people can look at the source code, it doesn't always happen, or people don't always spot problems. Sometimes it can allow security issues to be introduced:
    In order to keep a warning from being issued by the Valgrind analysis tool, a maintainer of the Debian distribution applied a patch to the Debian implementation of the OpenSSL suite, which inadvertently broke its random number generator in the process. The broken version was included in the Debian release of September 17, 2006 (version 0.9.8c-1). Any key generated with the broken random number generator, as well as data encrypted with such a key, was compromised. The error was reported by Debian on May 13, 2008.

    http://www.debian.org/security/2008/dsa-1571
    Posted via CB10
    Last edited by Richard Buckley; 02-08-14 at 09:24 AM.
    02-08-14 08:45 AM
  25. SmellWhole's Avatar
    BlackBerry management has made many statements which turned out to be blatantly false. Unless the source code can be reviewed we have to trust BlackBerry.
    It's extremely unlikely that BlackBerry would lie about this because it would irreparably destroy its reputation if the truth ever came out.
    Richard Buckley likes this.
    02-08-14 09:58 AM
106 ... 2345

Similar Threads

  1. Replies: 19
    Last Post: 07-16-14, 12:23 PM
  2. Can't open links or even Browser on my Bold 9900
    By ummusabbar in forum BlackBerry Bold 9930/9900
    Replies: 3
    Last Post: 01-21-14, 12:23 PM
  3. BB 10 and Corporate contact details
    By smguy7 in forum BlackBerry 10 OS
    Replies: 2
    Last Post: 01-20-14, 05:02 PM
  4. Vector 27: Top tech trends of 2014!
    By CrackBerry News in forum CrackBerry.com News Discussion
    Replies: 0
    Last Post: 01-20-14, 04:30 PM
  5. Replies: 6
    Last Post: 01-20-14, 02:04 PM
LINK TO POST COPIED TO CLIPBOARD