[liberationtech] the Blackberry and Surveillance?

Wed Jun 12 08:22:31 PDT 2013

Hello

I've written a pair of longer pieces that try to outline what is known
about Blackberry device security. One focuses primarily on BBM security (
http://www.christopher-parsons.com/the-danger-of-fetishizing-blackberry-messenger-security/)
whereas the other tries to more comprehensively look at the various BIS
services (which are, I think, largely depreciated in the BB10 OS
infrastructure) (
http://www.christopher-parsons.com/decrypting-blackberry-security-decentralizing-the-future/
).

The end result is that BIS-based communications over BBM in particular,
while encrypted, do not necessarily offer a meaningful degree of protection
from the resources of state-based actors.

Cheers
Chris

Sent from my Privacy Undermining Technology
On Jun 12, 2013 7:10 AM, "Robert Guerra" <rguerra at privaterra.org> wrote:

> Michael & Ale,
>
> I gave numerous interviews back in 2010 when Blackberry started openly
> co-operating with governments to keep their service online. The concerns
>  raised then, to this day then remain unanswered by the company.
>
> Given the company's unwillingness to constructively engage and be open
> regarding on their practices regarding data sharing has led me to recommend
> to activists to AVOID their devices and services at all costs. Other far
> more secure solutions exist, such as the open source Guardian Project.
> Their secure solutions for Android are excellent and quite respected by
> digital security practitioners.
>
> regards
>
> Robert
>
> Refs:
>
> BlackBerry has reportedly reached an agreement with Saudi Arabia to
> continue messaging services in the country. It's unclear what data will now
> be shared.
> (August 10, 2010)
>
> http://www.csmonitor.com/World/Global-News/2010/0810/BlackBerry-caved-to-Saudi-demands-rights-group
>
> The Guardian Project: Secure Mobile Apps and Open-Source Code for a Better
> Tomorrow
> https://guardianproject.info/
>
> --
> R. Guerra
> Phone/Cell: +1 202-905-2081
> Twitter: twitter.com/netfreedom
> Email: rguerra at privaterra.org
>
> On 2013-06-12, at 9:51 AM, ale fernandez wrote:
>
> > I remember also during the UK riots last year people started using BBM
> and it was much more effective than other networks also partly due to not
> being as obvious or closely tracked as facebook posts etc.
> >
> > Ale
> >
> > On Wed, 12 Jun 2013 14:15:33 +0100
> > Michael Rogers <michael at briarproject.org> wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> On 12/06/13 09:14, michael gurstein wrote:
> >>> I haven`t been watching that closely but in the course of my
> >>> following the current discussions on surveillance I have yet to see
> >>> a reference to RIM/Blackberry...
> >>>
> >>> Is this because it`s recent loss of market share means it isn`t of
> >>> particular interest (I would have thought the up to recent user
> >>> demographics would rather make it of particular interest), because
> >>> of some features which put it outside of the current surveillance
> >>> stream, have I missed it in the current discussion, other?
> >>
> >> Hi Mike,
> >>
> >> As far as I know, the situation with BlackBerry is as follows. If
> >> you're an enterprise customer, you generate your own encryption key
> >> for BBM (I don't know whether it's used for email too), and run your
> >> own server. RIM claimed in August 2010 that it didn't have access to
> >> the encryption keys generated by enterprise customers and couldn't
> >> observe the content of their communication. The statement didn't say
> >> whether RIM could observe metadata.
> >>
> >>
> http://blogs.thenational.ae/business/beep-beep/full-rim-customer-statement-on-blackberry-security-issues
> >>
> >> If you're a non-enterprise customer, your BBM messages are scrambled
> >> with a key that's built into all BlackBerry devices and known to RIM.
> >>
> >>
> https://mailman.stanford.edu/pipermail/liberationtech/2013-April/008293.html
> >>
> >> RIM has come under pressure from several governments to decrypt BBM
> >> messages, so I think it's safe to assume that the key used for
> >> scrambling non-enterprise BBM messages is widely known by now.
> >>
> >> For both enterprise and non-enterprise customers, if you use a
> >> third-party email provider, that provider will have access to content
> >> and metadata regardless of what device you're using.
> >>
> >> I don't know whether wireless carriers can observe the metadata of BBM
> >> messages; they could collect the scrambled messages of non-enterprise
> >> customers, for descrambling by anyone who knows the key.
> >>
> >> Cheers,
> >> Michael
> >>
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.4.10 (GNU/Linux)
> >>
> >> iQEcBAEBAgAGBQJRuHR1AAoJEBEET9GfxSfMfm4IAJYUc9eD5yZJr4G7kAC5wJSl
> >> ZXwrATajTYS+VIxY6yHPe5tQoOMHBXbMF/41No/oua6CoOoU2UU++BHAtGsVarHE
> >> koKujVdtn3Tp18Jy6uEru/5qHaNx7+n8FF7lcr72k/yRfgzBKREVH2hge6s2pCYO
> >> NcEya2PxKGcwiCk1f3901JwqVoeYxjEVNn2Wjx65lFppX0imn23UALZgnPHQaxX3
> >> t20BYNwz1g1iSiJg2ngxkdOgTeSXelwI0do4h1mEZtFtapfChdjRb9/rAWi1NOwS
> >> T8Kos128nDk/0cDuqObONxZD01UjgPIUFxBVVnfjJnKm220r6z7IBpelmrgWi6Y=
> >> =9cNa
> >> -----END PGP SIGNATURE-----
> >> --
> >> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> > --
> > Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130612/2935b304/attachment.html>