Blackberries insecure?

Thread: Blackberries insecure?

Search this list only Search all lists
Blackberries insecure?
	2007-06-20 22:41:20
According to the AP (which is quoting Le Monde), "French government defense experts have advised officials in France's corridors of power to stop using BlackBerry, reportedly to avoid snooping by U.S. intelligence agencies." That's a bit puzzling. My understanding is that email is encrypted from the organization's (Exchange?) server to the receiving Blackberry, and that it's not in the clear while in transit or on RIM's servers. In fact, I found this text on Blackberry's site: Private encryption keys are generated in a secure, two-way authenticated environment and are assigned to each BlackBerry device user. Each secret key is stored only in the user's secure regenerated by the user wirelessly. Data sent to the BlackBerry device is encrypted by the BlackBerry Enterprise Server using the private key retrieved from the user's mailbox. The encrypted information travels securely across the network to the device where it is decrypted with the key stored there. Data remains encrypted in transit and is never decrypted outside of the corporate firewall. Of course, we all know there are ways that keys can be leaked. --Steve Bellovin, http://www.cs.columbi a.edu/~smb ------------------------------------------------------------ --------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomometzdowd.com

Re: Blackberries insecure?
Austria	2007-06-21 08:47:21
Steven M. Bellovin wrote: > According to the AP (which is quoting Le Monde), "French government > defense experts have advised officials in France's corridors of power > to stop using BlackBerry, reportedly to avoid snooping by U.S. > intelligence agencies." > > That's a bit puzzling. My understanding is that email is encrypted > from the organization's (Exchange?) server to the receiving Blackberry, > and that it's not in the clear while in transit or on RIM's servers. (quick reply) they specifically mentioned the servers: "The ban has been prompted by SGDN concerns that the BlackBerry system is based on servers located in the US and the UK,..." https://financialcryptography.com/mt/archives/000856.ht ml http://www.ft.com/cms/s/dde45086-1e97-11dc-bc22 -000b5df10621.html iang ------------------------------------------------------------ --------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomometzdowd.com

RE: Blackberries insecure?
United Kingdom	2007-06-21 09:24:43
On 21 June 2007 04:41, Steven M. Bellovin wrote: > According to the AP (which is quoting Le Monde), "French government > defense experts have advised officials in France's corridors of power > to stop using BlackBerry, reportedly to avoid snooping by U.S. > intelligence agencies." > > That's a bit puzzling. My understanding is that email is encrypted > from the organization's (Exchange?) server to the receiving Blackberry, > and that it's not in the clear while in transit or on RIM's servers. > In fact, I found this text on Blackberry's site: > > Private encryption keys are generated in a secure, two-way > authenticated environment and are assigned to each BlackBerry > device user. Each secret key is stored only in the user's secure > regenerated by the user wirelessly. > > Data sent to the BlackBerry device is encrypted by the > BlackBerry Enterprise Server using the private key retrieved > from the user's mailbox. The encrypted information travels > securely across the network to the device where it is decrypted > with the key stored there. > > Data remains encrypted in transit and is never decrypted outside > of the corporate firewall. > > Of course, we all know there are ways that keys can be leaked. And work factors reduced. And corporations who want to do business in the US have been known to secretly collaborate with the US.gov before to sabotage encryption features on exported devices (e.g. Lotus, Crypto AG, Microsoft, Netscape). So there's no reason to take the assurances on the blackberry website at face value, and if you're a government or other .org that really takes security /proper/ seriously, you've got to account for the very real risk. cheers, DaveK -- Can't think of a witty .sigline today.... ------------------------------------------------------------ --------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomometzdowd.com

Re: Blackberries insecure?
	2007-06-21 09:41:20
On Wed, Jun 20, 2007 at 11:41:20PM -0400, Steven M. Bellovin wrote: > According to the AP (which is quoting Le Monde), "French government > defense experts have advised officials in France's corridors of power > to stop using BlackBerry, reportedly to avoid snooping by U.S. > intelligence agencies." > > That's a bit puzzling. My understanding is that email is encrypted > from the organization's (Exchange?) server to the receiving Blackberry, > and that it's not in the clear while in transit or on RIM's servers. > In fact, I found this text on Blackberry's site: The key issue is who manages the (not necessarily, but often Exchange) mail store. Enterprise BlackBerry devices should be safe from external attacks, consumer BlackBerry devices use servers provisioned elsewhere. Are the officials using "Corporate" or "Personal" BlackBerry devices? -- /" ASCII RIBBON NOTICE: If received in error, / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / HTML MAIL Morgan Stanley confidentiality or privilege, and use is prohibited. ------------------------------------------------------------ --------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomometzdowd.com

Re: Blackberries insecure?
United States	2007-06-21 13:40:09
Steven M. Bellovin wrote: > That's a bit puzzling. My understanding is that email is encrypted > from the organization's (Exchange?) server to the receiving Blackberry, > and that it's not in the clear while in transit or on RIM's servers. Doesn't this run into the common problem of "supposedly it's secure, but they're not offering the source", just like with e.g. Skype, TPM RNGs, all commercial hardware security modules that I'm aware of, etc? Personally, I found a SymbianOS phone with a full keyboard that's lighter, thinner and more stylish than the Blackberry, runs Python and exposes most of the phone functionality to it through a set of APIs, and is happy to grab my mail via IMAP+SSL. With an unlimited data plan, who cares if it's pull instead of push e-mail? -- Ivan Krstić <krsticsolarsail.hcs.harvard.edu> \| GPG: 0x147C722D ------------------------------------------------------------ --------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomometzdowd.com

Re: Blackberries insecure?
United States	2007-06-21 21:15:20
On Jun 20, 2007, at 8:41 PM, Steven M. Bellovin wrote: > According to the AP (which is quoting Le Monde), "French government > defense experts have advised officials in France's corridors of power > to stop using BlackBerry, reportedly to avoid snooping by U.S. > intelligence agencies." > > That's a bit puzzling. My understanding is that email is encrypted > from the organization's (Exchange?) server to the receiving > Blackberry, > and that it's not in the clear while in transit or on RIM's servers. > In fact, I found this text on Blackberry's site: > There have been rumors for years that the BlackBerry protocol is compromised by some government or other. I've heard them for years. Ultimately, no one knows, and there's no way to know. It boils down to whether you trust RIM or not. There is a PGP software package for the BlackBerry that will further encrypt the content before it's sent out. I use it, and it's quite nice. It cooperates really nicely with one of my PGP Universal servers, as well. It's one of the best integrations of crypto into a mail package I've ever seen. However, you still have to trust RIM. I've never seen any of the code, myself. and to my knowledge no one outside RIM has. There are any number of ways that the implementation could be compromised, with or without RIM's knowledge. Paranoia is the unwarranted belief that people are out to get you. The warranted belief that people are out to get you is caution. Personally, I think that this is pure paranoid rumor and innuendo. That doesn't mean it's wrong, it just means it's unwarranted. Last week, I got sent a posting on a web site that someone made that said that he had secret knowledge that the USG could break RSA for all key sizes that anyone uses, so you should just stop using any cryptosystem that uses it. Of course, he couldn't tell us anything more to protect the position of the person who told him that. I said that if someone told you that an unidentified friend had secret knowledge that banks were unsafe and so you shouldn't keep keep your money there, your "I'm being scammed" hairs on the back of your neck would stand up. But if some unidentified someone tells you that the crypto's bad, it's met with complete credulity. I have no doubt that people in various governments want to spy on high-ranking French. Duh. But what's more likely, that there are secret government compromises of security, or that there's a secret disinformation campaign with the goal of convincing these people that the crypto is compromised. Of course, the really delicious theory is that they've compromised the crypto and then started the disinformation campaign in order to get people like me to discredit the disinformation campaign and thus reassure people that the crypto isn't broken, when in fact it is. Is this paranoid, or merely cautious? Jon ------------------------------------------------------------ --------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomometzdowd.com

[1-6]

about | contact Other archives ( Real Estate discussion Medical topics )