Re: [liberationtech] the Blackberry and Surveillance?
Hello I've written a pair of longer pieces that try to outline what is known about Blackberry device security. One focuses primarily on BBM security ( http://www.christopher-parsons.com/the-danger-of-fetishizing-blackberry-messenger-security/) whereas the other tries to more comprehensively look at the various BIS services (which are, I think, largely depreciated in the BB10 OS infrastructure) ( http://www.christopher-parsons.com/decrypting-blackberry-security-decentralizing-the-future/ ). The end result is that BIS-based communications over BBM in particular, while encrypted, do not necessarily offer a meaningful degree of protection from the resources of state-based actors. Cheers Chris Sent from my Privacy Undermining Technology On Jun 12, 2013 7:10 AM, "Robert Guerra" wrote: > Michael & Ale, > > I gave numerous interviews back in 2010 when Blackberry started openly > co-operating with governments to keep their service online. The concerns > raised then, to this day then remain unanswered by the company. > > Given the company's unwillingness to constructively engage and be open > regarding on their practices regarding data sharing has led me to recommend > to activists to AVOID their devices and services at all costs. Other far > more secure solutions exist, such as the open source Guardian Project. > Their secure solutions for Android are excellent and quite respected by > digital security practitioners. > > regards > > Robert > > Refs: > > BlackBerry has reportedly reached an agreement with Saudi Arabia to > continue messaging services in the country. It's unclear what data will now > be shared. > (August 10, 2010) > > http://www.csmonitor.com/World/Global-News/2010/0810/BlackBerry-caved-to-Saudi-demands-rights-group > > The Guardian Project: Secure Mobile Apps and Open-Source Code for a Better > Tomorrow > https://guardianproject.info/ > > -- > R. Guerra > Phone/Cell: +1 202-905-2081 > Twitter: twitter.com/netfreedom > Email: rgue...@privaterra.org > > On 2013-06-12, at 9:51 AM, ale fernandez wrote: > > > I remember also during the UK riots last year people started using BBM > and it was much more effective than other networks also partly due to not > being as obvious or closely tracked as facebook posts etc. > > > > Ale > > > > On Wed, 12 Jun 2013 14:15:33 +0100 > > Michael Rogers wrote: > > > >> -BEGIN PGP SIGNED MESSAGE- > >> Hash: SHA1 > >> > >> On 12/06/13 09:14, michael gurstein wrote: > >>> I haven`t been watching that closely but in the course of my > >>> following the current discussions on surveillance I have yet to see > >>> a reference to RIM/Blackberry... > >>> > >>> Is this because it`s recent loss of market share means it isn`t of > >>> particular interest (I would have thought the up to recent user > >>> demographics would rather make it of particular interest), because > >>> of some features which put it outside of the current surveillance > >>> stream, have I missed it in the current discussion, other? > >> > >> Hi Mike, > >> > >> As far as I know, the situation with BlackBerry is as follows. If > >> you're an enterprise customer, you generate your own encryption key > >> for BBM (I don't know whether it's used for email too), and run your > >> own server. RIM claimed in August 2010 that it didn't have access to > >> the encryption keys generated by enterprise customers and couldn't > >> observe the content of their communication. The statement didn't say > >> whether RIM could observe metadata. > >> > >> > http://blogs.thenational.ae/business/beep-beep/full-rim-customer-statement-on-blackberry-security-issues > >> > >> If you're a non-enterprise customer, your BBM messages are scrambled > >> with a key that's built into all BlackBerry devices and known to RIM. > >> > >> > https://mailman.stanford.edu/pipermail/liberationtech/2013-April/008293.html > >> > >> RIM has come under pressure from several governments to decrypt BBM > >> messages, so I think it's safe to assume that the key used for > >> scrambling non-enterprise BBM messages is widely known by now. > >> > >> For both enterprise and non-enterprise customers, if you use a > >> third-party email provider, that provider will have access to content > >> and metadata regardless of what device you're using. > >> > >> I don't know whether wireless carriers can observe the metadata of BBM > >> messages; they could collect the scrambled messages of non-enterprise > >> customers, for descrambling by anyone who knows the key. > >> > >> Cheers, > >> Michael > >> > >> -BEGIN PGP SIGNATURE- > >> Version: GnuPG v1.4.10 (GNU/Linux) > >> > >> iQEcBAEBAgAGBQJRuHR1AAoJEBEET9GfxSfMfm4IAJYUc9eD5yZJr4G7kAC5wJSl > >> ZXwrATajTYS+VIxY6yHPe5tQoOMHBXbMF/41No/oua6CoOoU2UU++BHAtGsVarHE > >> koKujVdtn3Tp18Jy6uEru/5qHaNx7+n8FF7lcr72k/yRfgzBKREVH2hge6s2pCYO > >> NcEya2PxKGcwiCk1f3901JwqVoeYxjEVNn2Wjx65lFppX0imn23UALZgnPHQaxX3 > >> t20BYNwz1g1iSiJg2ngxkdOgTeSXelwI0do4h1mEZtFtapfChdjRb9/rAWi1NOwS > >> T8Kos128nDk/0cDuqObONxZD01UjgPI
Re: [liberationtech] the Blackberry and Surveillance?
Michael & Ale, I gave numerous interviews back in 2010 when Blackberry started openly co-operating with governments to keep their service online. The concerns raised then, to this day then remain unanswered by the company. Given the company's unwillingness to constructively engage and be open regarding on their practices regarding data sharing has led me to recommend to activists to AVOID their devices and services at all costs. Other far more secure solutions exist, such as the open source Guardian Project. Their secure solutions for Android are excellent and quite respected by digital security practitioners. regards Robert Refs: BlackBerry has reportedly reached an agreement with Saudi Arabia to continue messaging services in the country. It's unclear what data will now be shared. (August 10, 2010) http://www.csmonitor.com/World/Global-News/2010/0810/BlackBerry-caved-to-Saudi-demands-rights-group The Guardian Project: Secure Mobile Apps and Open-Source Code for a Better Tomorrow https://guardianproject.info/ -- R. Guerra Phone/Cell: +1 202-905-2081 Twitter: twitter.com/netfreedom Email: rgue...@privaterra.org On 2013-06-12, at 9:51 AM, ale fernandez wrote: > I remember also during the UK riots last year people started using BBM and it > was much more effective than other networks also partly due to not being as > obvious or closely tracked as facebook posts etc. > > Ale > > On Wed, 12 Jun 2013 14:15:33 +0100 > Michael Rogers wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 12/06/13 09:14, michael gurstein wrote: >>> I haven`t been watching that closely but in the course of my >>> following the current discussions on surveillance I have yet to see >>> a reference to RIM/Blackberry... >>> >>> Is this because it`s recent loss of market share means it isn`t of >>> particular interest (I would have thought the up to recent user >>> demographics would rather make it of particular interest), because >>> of some features which put it outside of the current surveillance >>> stream, have I missed it in the current discussion, other? >> >> Hi Mike, >> >> As far as I know, the situation with BlackBerry is as follows. If >> you're an enterprise customer, you generate your own encryption key >> for BBM (I don't know whether it's used for email too), and run your >> own server. RIM claimed in August 2010 that it didn't have access to >> the encryption keys generated by enterprise customers and couldn't >> observe the content of their communication. The statement didn't say >> whether RIM could observe metadata. >> >> http://blogs.thenational.ae/business/beep-beep/full-rim-customer-statement-on-blackberry-security-issues >> >> If you're a non-enterprise customer, your BBM messages are scrambled >> with a key that's built into all BlackBerry devices and known to RIM. >> >> https://mailman.stanford.edu/pipermail/liberationtech/2013-April/008293.html >> >> RIM has come under pressure from several governments to decrypt BBM >> messages, so I think it's safe to assume that the key used for >> scrambling non-enterprise BBM messages is widely known by now. >> >> For both enterprise and non-enterprise customers, if you use a >> third-party email provider, that provider will have access to content >> and metadata regardless of what device you're using. >> >> I don't know whether wireless carriers can observe the metadata of BBM >> messages; they could collect the scrambled messages of non-enterprise >> customers, for descrambling by anyone who knows the key. >> >> Cheers, >> Michael >> >> -BEGIN PGP SIGNATURE- >> Version: GnuPG v1.4.10 (GNU/Linux) >> >> iQEcBAEBAgAGBQJRuHR1AAoJEBEET9GfxSfMfm4IAJYUc9eD5yZJr4G7kAC5wJSl >> ZXwrATajTYS+VIxY6yHPe5tQoOMHBXbMF/41No/oua6CoOoU2UU++BHAtGsVarHE >> koKujVdtn3Tp18Jy6uEru/5qHaNx7+n8FF7lcr72k/yRfgzBKREVH2hge6s2pCYO >> NcEya2PxKGcwiCk1f3901JwqVoeYxjEVNn2Wjx65lFppX0imn23UALZgnPHQaxX3 >> t20BYNwz1g1iSiJg2ngxkdOgTeSXelwI0do4h1mEZtFtapfChdjRb9/rAWi1NOwS >> T8Kos128nDk/0cDuqObONxZD01UjgPIUFxBVVnfjJnKm220r6z7IBpelmrgWi6Y= >> =9cNa >> -END PGP SIGNATURE- >> -- >> Too many emails? Unsubscribe, change to digest, or change password by >> emailing moderator at compa...@stanford.edu or changing your settings at >> https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] the Blackberry and Surveillance?
I remember also during the UK riots last year people started using BBM and it was much more effective than other networks also partly due to not being as obvious or closely tracked as facebook posts etc. Ale On Wed, 12 Jun 2013 14:15:33 +0100 Michael Rogers wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 12/06/13 09:14, michael gurstein wrote: > > I haven`t been watching that closely but in the course of my > > following the current discussions on surveillance I have yet to see > > a reference to RIM/Blackberry... > > > > Is this because it`s recent loss of market share means it isn`t of > > particular interest (I would have thought the up to recent user > > demographics would rather make it of particular interest), because > > of some features which put it outside of the current surveillance > > stream, have I missed it in the current discussion, other? > > Hi Mike, > > As far as I know, the situation with BlackBerry is as follows. If > you're an enterprise customer, you generate your own encryption key > for BBM (I don't know whether it's used for email too), and run your > own server. RIM claimed in August 2010 that it didn't have access to > the encryption keys generated by enterprise customers and couldn't > observe the content of their communication. The statement didn't say > whether RIM could observe metadata. > > http://blogs.thenational.ae/business/beep-beep/full-rim-customer-statement-on-blackberry-security-issues > > If you're a non-enterprise customer, your BBM messages are scrambled > with a key that's built into all BlackBerry devices and known to RIM. > > https://mailman.stanford.edu/pipermail/liberationtech/2013-April/008293.html > > RIM has come under pressure from several governments to decrypt BBM > messages, so I think it's safe to assume that the key used for > scrambling non-enterprise BBM messages is widely known by now. > > For both enterprise and non-enterprise customers, if you use a > third-party email provider, that provider will have access to content > and metadata regardless of what device you're using. > > I don't know whether wireless carriers can observe the metadata of BBM > messages; they could collect the scrambled messages of non-enterprise > customers, for descrambling by anyone who knows the key. > > Cheers, > Michael > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQEcBAEBAgAGBQJRuHR1AAoJEBEET9GfxSfMfm4IAJYUc9eD5yZJr4G7kAC5wJSl > ZXwrATajTYS+VIxY6yHPe5tQoOMHBXbMF/41No/oua6CoOoU2UU++BHAtGsVarHE > koKujVdtn3Tp18Jy6uEru/5qHaNx7+n8FF7lcr72k/yRfgzBKREVH2hge6s2pCYO > NcEya2PxKGcwiCk1f3901JwqVoeYxjEVNn2Wjx65lFppX0imn23UALZgnPHQaxX3 > t20BYNwz1g1iSiJg2ngxkdOgTeSXelwI0do4h1mEZtFtapfChdjRb9/rAWi1NOwS > T8Kos128nDk/0cDuqObONxZD01UjgPIUFxBVVnfjJnKm220r6z7IBpelmrgWi6Y= > =9cNa > -END PGP SIGNATURE- > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] the Blackberry and Surveillance?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/06/13 09:14, michael gurstein wrote: > I haven`t been watching that closely but in the course of my > following the current discussions on surveillance I have yet to see > a reference to RIM/Blackberry... > > Is this because it`s recent loss of market share means it isn`t of > particular interest (I would have thought the up to recent user > demographics would rather make it of particular interest), because > of some features which put it outside of the current surveillance > stream, have I missed it in the current discussion, other? Hi Mike, As far as I know, the situation with BlackBerry is as follows. If you're an enterprise customer, you generate your own encryption key for BBM (I don't know whether it's used for email too), and run your own server. RIM claimed in August 2010 that it didn't have access to the encryption keys generated by enterprise customers and couldn't observe the content of their communication. The statement didn't say whether RIM could observe metadata. http://blogs.thenational.ae/business/beep-beep/full-rim-customer-statement-on-blackberry-security-issues If you're a non-enterprise customer, your BBM messages are scrambled with a key that's built into all BlackBerry devices and known to RIM. https://mailman.stanford.edu/pipermail/liberationtech/2013-April/008293.html RIM has come under pressure from several governments to decrypt BBM messages, so I think it's safe to assume that the key used for scrambling non-enterprise BBM messages is widely known by now. For both enterprise and non-enterprise customers, if you use a third-party email provider, that provider will have access to content and metadata regardless of what device you're using. I don't know whether wireless carriers can observe the metadata of BBM messages; they could collect the scrambled messages of non-enterprise customers, for descrambling by anyone who knows the key. Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJRuHR1AAoJEBEET9GfxSfMfm4IAJYUc9eD5yZJr4G7kAC5wJSl ZXwrATajTYS+VIxY6yHPe5tQoOMHBXbMF/41No/oua6CoOoU2UU++BHAtGsVarHE koKujVdtn3Tp18Jy6uEru/5qHaNx7+n8FF7lcr72k/yRfgzBKREVH2hge6s2pCYO NcEya2PxKGcwiCk1f3901JwqVoeYxjEVNn2Wjx65lFppX0imn23UALZgnPHQaxX3 t20BYNwz1g1iSiJg2ngxkdOgTeSXelwI0do4h1mEZtFtapfChdjRb9/rAWi1NOwS T8Kos128nDk/0cDuqObONxZD01UjgPIUFxBVVnfjJnKm220r6z7IBpelmrgWi6Y= =9cNa -END PGP SIGNATURE- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] the Blackberry and Surveillance?
I haven`t been watching that closely but in the course of my following the current discussions on surveillance I have yet to see a reference to RIM/Blackberry... Is this because it`s recent loss of market share means it isn`t of particular interest (I would have thought the up to recent user demographics would rather make it of particular interest), because of some features which put it outside of the current surveillance stream, have I missed it in the current discussion, other? Tks, Mike -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
