[liberationtech] BlackBerry and CALEA-II

Griffin Boyce griffinboyce at gmail.com
Mon Apr 29 13:59:43 PDT 2013 

Jacob Appelbaum <jacob at appelbaum.net> wrote:

> Griffin Boyce:
> >   I disagree.  Blackberry isn't openly selling your data or otherwise
> > gifting it to third parties, but I don't think that's really enough.
>
> That is exactly what they're doing. They have a key that is static and
> from what I've heard, disclosed to LE and intel agencies, specifically
> to retain or to enhance their marketshare.
>

  Well, their market share is enhanced more by shiny packaging and
bullshitting their customers into thinking their phones are secure.


> > Keep in mind that all PINs are 8-digit hex strings. Narrows the field a
> > bit. ;P
> The PIN is just the hardware identifier as I understand things - that
> isn't my concern - my concern is the fixed key.


  Granted, but you need to determine the PIN (and then spoof it), for
PIN-to-PIN Blackberry messages.

  You already know this, but for the benefit of the list:  There's a
difference between BBM messages and Pin-to-Pin messages.  With BBM, you
have to request permission to be added to their list and then you both
mutually approve each other.  With Pin-to-Pin, you can send anyone a
message if you have their PIN.  A PIN message is similar to email, and
displays red in your "messages" queue. BBM is threaded and closer to chat.
 As of Blackberry v10 (I believe), BBM no longer uses a PIN, but the BBID.

  Also, while a PIN message can be encrypted, the default option on both a
BES ~and~ PIN messages is to not be encrypted.

  What REALLY scares me about this is how many medical providers use
Blackberry products in their practices.  A stolen PIN coupled with a poorly
set-up BES could lead to a serious privacy breach.

Andrés Leopoldo Pacheco Sanfuentes <alps6085 at gmail.com> wrote:

> Are there "truly secure" solutions? I don't think so.. especially not when
> we add the qualifier "of mass consumption "
>
  That's probably the real question.  It probably doesn't exist with
off-the-shelf solutions.  TextSecure is useful and secure, but the network
effect applies there as everywhere else.  If I send you an encrypted text,
and you don't use the same app, you can't reasonably decrypt it. Cryptocat
mobile would be a game-changer here, but it also doesn't allow for
asynchronous communication since it's a chat program.  And both parties
would still need to use it.

  I'm not sure there's a full solution right now.  Definitely a market
opportunity.

best,
Griffin

-- 
Technical Program Associate, Open Technology Institute
#Foucault / PGP: 0xAE792C97 / OTR: saint at jabber.ccc.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130429/e60903a4/attachment.html>

More information about the liberationtech mailing list