[liberationtech] BlackBerry and CALEA-II

Griffin Boyce griffinboyce at gmail.com
Mon Apr 29 18:56:35 PDT 2013 

Jacob Appelbaum <jacob at appelbaum.net> wrote:

> Spoofing? I mean, I suspect impersonating a phone requires knowledge of
> secret keys on the telephone. So to own the phone as you suggest, I
> think you'd have to have the phone already or control the BES.


  Probably.


> > Maybe.  I'd wager it's much worse.  Depends on those affected.
>
> Ok... was there something here that I'm missing? If you can downgrade
> the security that the BES would otherwise offer, you'd end up with...
> the default BlackBerry "security" protections.
>

  Yes. If someone pwns the BES (the Windows server that it's on), they wind
up with patient lists, browser history, potentially any medical information
on the device. Phone security in medicine (especially telemedicine) starts
out scary and just keeps going.


> Install Gibberbot, OTR comes for free.
>

  Not my point. Training and support for Gibberbot/OTR is not negligible.
Not every cost is financial.


> Neither requires an advanced user - both are so simple as to not require
> anything beyond remembering a single password, which can even be set to
> something simple, if you wanted.
>

Very good to know.  =)

Yes, both are more expensive than free but compared to a BlackBerry
> device with a BES? Negligible cost differences.
>

  They're not "more expensive than free," my understanding is that they're
more expensive than a thousand dollars.  Compare to an average BlackBerry
user who might spend $200 and renew their contract.  Enterprise users are
another category entirely and usually have their devices covered by their
employer.

Oh? How so? What did you go with and how does it contrast? For example
> the new Android Cryptophone has a baseband firewall - does your kit have
> something similar?
>

  We opted for the combination of more travel and encrypted chat.  When I
looked at costs vs features, I was more comfortable with that setup.  It
also seemed obnoxious to ask her to carry a phone that is just for talking
to me :D  And *I* rarely carry a phone because of security concerns.  So
overall it just didn't seem like a fit.

  Cryptophones are sexy as hell, but expensive, and not always the right
choice.

I'm not sure that I'd call my choice a bias.
>

  Most choices have some amount of bias inherent in them. Considering the
human factors here, yeah, it's probably biased to some extent on both sides

best,
Griffin

-- 
Technical Program Associate, Open Technology Institute
#Foucault / PGP: 0xAE792C97 / OTR: saint at jabber.ccc.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130429/899cc4d6/attachment.html>

More information about the liberationtech mailing list