[liberationtech] BlackBerry and CALEA-II

Griffin Boyce griffinboyce at gmail.com
Mon Apr 29 17:51:40 PDT 2013 

Jacob Appelbaum <jacob at appelbaum.net> wrote:

> > You already know this, but for the benefit of the list <snip>
>
> Unless these are on a BES server - it's all insecure - if it is on a BES
> server, it may still be insecure depending on a few factors.
>

  Depends on whether they enable SMS logging, but that only requires
setting a flag. Phone call metadata is stored by default. The multitude of
things stored on / synced with is extensive, and includes email, address
book, browser history, and list of all apps installed.  It can also access
the Password Keeper file remotely (you'd still need to brute force the main
password, but it's likely trivial).

  If a user sets up sync, someone spoofing their phone could retrieve the
whole shebang, including all messages.

> What REALLY scares me about this is how many medical providers use
> > Blackberry products in their practices.
> Well, sure. It would be as bad as every other BlackBerry device
> normally. A real joy, I tell you.
>

Maybe.  I'd wager it's much worse.  Depends on those affected.


> There are obviously degrees of secure.
>

  There are also degrees of availability/access/usability.  As a tech guy
with a lot of non-techy friends, the amount of work involved to get my
close friends using Pidgin+OTR has been non-trivial.  For many options,
there are usability issues, class issues, that keep adoption pretty low.

  And what does it mean to be one of a privileged subset who can get ahold
of eg a VOIP STE or buy a set of Cryptophones.  For the first, you need
connections, and for both you need to be an advanced user (not to mention
have the money to afford them).  Most people would picture the costs of
adoption to be greater than the benefits of adoption.

I suggest you check out Cryptophone


  I've considered getting a pair for my girlfriend and myself, but other
options have proven to be a better fit.

GibberBot with OTR provides the same set of features without all of the
> home rolled crypto problems, the web related problems or a third party
> that you're not already using on a daily basis.
>

  Well, I'm using it on a daily basis.  We're both biased in different
directions ;-)

best,
Griffin

-- 
Technical Program Associate, Open Technology Institute
#Foucault / PGP: 0xAE792C97 / OTR: saint at jabber.ccc.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130429/6ec722e1/attachment.html>

More information about the liberationtech mailing list