http://defensetech.org/2007/06/21/france-fears-blackberry-snooping-by-u-s/ The Future of the Military, Law Enforcement and National Security Wed, 17 Mar 2010 06:22:49 +0000 http://wordpress.org/?v=2.9.2 hourly 1 http://defensetech.org/2007/06/21/france-fears-blackberry-snooping-by-u-s/comment-page-1/#comment-163323 Tim Sun, 24 Jun 2007 23:55:40 +0000 http://deftech.usmilblog.com/?p=3575#comment-163323 A BES (Blackberry enterprise server) has encrypted end-to end communications to the Blackberry. So mort larger organizations will have this. The BES is inside the organizations network. The Blackberry itself uses 128bit encryption on its traffic, and can optionally encrypt all data on the blackberry with a different 128 bit key, and will erase itself rather than allow repeated password attempts. The only weakness there is a hypothetical trapdoor to allow password recovery from inside a snatched blackberry. Judging from the security policy Australia's DSD promulgate which turns OFF content encryption, I guess that if such a thing exists only US agencies know about it. The blackberry hardware has built-in anti-tamper and won't run a doctored system image. Organizations can impose security policies that enforce any or all of these features. A BES (Blackberry enterprise server) has encrypted end-to end communications to the Blackberry.
So mort larger organizations will have this.
The BES is inside the organizations network.
The Blackberry itself uses 128bit encryption on its traffic, and can optionally encrypt all data
on the blackberry with a different 128 bit key,
and will erase itself rather than allow repeated
password attempts.
The only weakness there is a hypothetical trapdoor to allow password recovery from inside a snatched blackberry.
Judging from the security policy Australia’s DSD promulgate which turns OFF content encryption, I guess that if such a thing exists only US agencies know about it.
The blackberry hardware has built-in anti-tamper and won’t run a doctored system image.
Organizations can impose security policies that enforce any or all of these features.

]]> http://defensetech.org/2007/06/21/france-fears-blackberry-snooping-by-u-s/comment-page-1/#comment-163321 ElMondoHummus Fri, 22 Jun 2007 19:19:54 +0000 http://deftech.usmilblog.com/?p=3575#comment-163321 "IT security is based upon randomness, complexity, and secrecy... that is, until somebody finds a decoder ring in a box of Cracker Jacks." Incorrect. IT Security is based upon setting priviledges, enforcing those as well as policies, ongoing detection of compromise attempts, distribution and enforcement of secure practices and encryption of anything that is beyond control of the system or network adminstrator. If someone tries to base their security model on randomness, complexity, and secrecy, that someone should be fired. "...the only question is the amount of time needed to break encryption." That's true, and with current encryption standards, that time equals centuries to millenia. Not practical for real-time intelligence, and for all practical purposes, unbreakable within a human lifetime. Look, everyone is hyperventilating over interception of Blackberry traffic, and everyone doing it doesn't know a thing about IT security. The *real* security hole is the device itself. Why bother wasting time trying to decrypt an intercepted message when the timeframe for decryption is beyond my lifetime? Why not just steal the damn device? **THAT'S** the real security hole: The end user's practices. That's **ALWAYS** the real security hole. Not the infrastructure in-between. The governments in question should worry about **that**, not about some obscure technical issue they don't understand, and which can be addressed with products like PGP anyway. “IT security is based upon randomness, complexity, and secrecy… that is, until somebody finds a decoder ring in a box of Cracker Jacks.“
Incorrect. IT Security is based upon setting priviledges, enforcing those as well as policies, ongoing detection of compromise attempts, distribution and enforcement of secure practices and encryption of anything that is beyond control of the system or network adminstrator. If someone tries to base their security model on randomness, complexity, and secrecy, that someone should be fired.
”…the only question is the amount of time needed to break encryption.“
That’s true, and with current encryption standards, that time equals centuries to millenia. Not practical for real-time intelligence, and for all practical purposes, unbreakable within a human lifetime.
Look, everyone is hyperventilating over interception of Blackberry traffic, and everyone doing it doesn’t know a thing about IT security. The *real* security hole is the device itself. Why bother wasting time trying to decrypt an intercepted message when the timeframe for decryption is beyond my lifetime? Why not just steal the damn device? **THAT’S** the real security hole: The end user’s practices. That’s **ALWAYS** the real security hole. Not the infrastructure in-between.
The governments in question should worry about **that**, not about some obscure technical issue they don’t understand, and which can be addressed with products like PGP anyway.

]]> http://defensetech.org/2007/06/21/france-fears-blackberry-snooping-by-u-s/comment-page-1/#comment-163319 campbell Thu, 21 Jun 2007 23:55:49 +0000 http://deftech.usmilblog.com/?p=3575#comment-163319 face it folks, every keystroke, and every electronic means of communicating is "breakable"; hence, insecure. period. the only question is the amount of time needed to break encryption. noting beat a "one time pad" made of wax. old, but absolute. face it folks, every keystroke, and every electronic means of communicating is “breakable”; hence, insecure.
period.
the only question is the amount of time needed to break encryption.
noting beat a “one time pad” made of wax. old, but absolute.

]]> http://defensetech.org/2007/06/21/france-fears-blackberry-snooping-by-u-s/comment-page-1/#comment-163318 Camp Thu, 21 Jun 2007 20:18:26 +0000 http://deftech.usmilblog.com/?p=3575#comment-163318 "War. War Never Changes." http://www.youtube.com/watch?v=_mcJAI6oRYY My guess, is their bucking for a private, or maybe public, Cackberry network to be setup in France. Eh, I could be wrong though. IT security is based upon randomness, complexity, and secrecy... that is, until somebody finds a decoder ring in a box of Cracker Jacks. It's all funny stuff, but C'est la vie. “War. War Never Changes.“
http://www.youtube.com/watch?v=_mcJAI6oRYY
My guess, is their bucking for a private, or maybe public, Cackberry network to be setup in France. Eh, I could be wrong though.
IT security is based upon randomness, complexity, and secrecy… that is, until somebody finds a decoder ring in a box of Cracker Jacks.
It’s all funny stuff, but C’est la vie.

]]> http://defensetech.org/2007/06/21/france-fears-blackberry-snooping-by-u-s/comment-page-1/#comment-163317 ElMondoHummus Thu, 21 Jun 2007 19:02:30 +0000 http://deftech.usmilblog.com/?p=3575#comment-163317 "If so, although the RIM Blackberry path may be perfectly secure, the Mail RIM path could easily be wide open. And the Blackberry -> Mail path is also wide open, becaues that goes back to SMTP at RIM before going onto the net." The answer can be found here: http://na.blackberry.com/eng/ataglance/security/features.jsp Assuming a Blackberry Enterprise Server is involved - that, admittedly is not a piece of information given here - then the message is secured with end-to-end encrption: "Data sent to the BlackBerry smartphone is encrypted by BlackBerry Enterprise Server using the private key retrieved from the user's mailbox. The encrypted information travels securely across the network to the smartphone where it is decrypted with the key stored there. Data remains encrypted in transit and is never decrypted outside of the corporate firewall" “If so, although the RIM Blackberry path may be perfectly secure, the Mail RIM path could easily be wide open. And the Blackberry -> Mail path is also wide open, becaues that goes back to SMTP at RIM before going onto the net.“
The answer can be found here:
http://na.blackberry.com/eng/ataglance/security/features.jsp
Assuming a Blackberry Enterprise Server is involved — that, admittedly is not a piece of information given here — then the message is secured with end-to-end encrption:
“Data sent to the BlackBerry smartphone is encrypted by BlackBerry Enterprise Server using the private key retrieved from the user’s mailbox. The encrypted information travels securely across the network to the smartphone where it is decrypted with the key stored there.
Data remains encrypted in transit and is never decrypted outside of the corporate firewall”

]]> http://defensetech.org/2007/06/21/france-fears-blackberry-snooping-by-u-s/comment-page-1/#comment-163316 Nicholas Weaver Thu, 21 Jun 2007 14:34:51 +0000 http://deftech.usmilblog.com/?p=3575#comment-163316 Just because it is certified for government use doesn't mean it should be used. Look at Diebold's voting machines... IMO such a critical piece of communication infrastructure should not cross national boarders if you care about your security. I think France is being very sensible here. Especially since I need to look into it further, but is mail TO RIM just through SMTP? If so, although the RIM Blackberry path may be perfectly secure, the Mail RIM path could easily be wide open. And the Blackberry -> Mail path is also wide open, becaues that goes back to SMTP at RIM before going onto the net. And given the universal tradition (France is notoroious for this, so I'd expect them to expect it of others) of economic espionage as well as espionage on allies, the Crackberries seem very dangerous for national security of non-US countries because of the basic architecture which routes all traffic through the US/Canada for the servers. Just because it is certified for government use doesn’t mean it should be used. Look at Diebold’s voting machines…
IMO such a critical piece of communication infrastructure should not cross national boarders if you care about your security. I think France is being very sensible here.
Especially since I need to look into it further, but is mail TO RIM just through SMTP?
If so, although the RIM Blackberry path may be perfectly secure, the Mail RIM path could easily be wide open. And the Blackberry -> Mail path is also wide open, becaues that goes back to SMTP at RIM before going onto the net.
And given the universal tradition (France is notoroious for this, so I’d expect them to expect it of others) of economic espionage as well as espionage on allies, the Crackberries seem very dangerous for national security of non-US countries because of the basic architecture which routes all traffic through the US/Canada for the servers.

]]> http://defensetech.org/2007/06/21/france-fears-blackberry-snooping-by-u-s/comment-page-1/#comment-62411 HUKI365 Thu, 21 Jun 2007 13:39:30 +0000 http://deftech.usmilblog.com/?p=3575#comment-62411 Australia's DSD actually can certify Blackberrys for government use. So I don't know what France is worried about. surely its a simple matter of getting their local Defence Disgnals Directorate to install a encryption tool? Australia’s DSD actually can certify Blackberrys for government use. So I don’t know what France is worried about. surely its a simple matter of getting their local Defence Disgnals Directorate to install a encryption tool?

]]> http://defensetech.org/2007/06/21/france-fears-blackberry-snooping-by-u-s/comment-page-1/#comment-163315 C Thu, 21 Jun 2007 13:35:29 +0000 http://deftech.usmilblog.com/?p=3575#comment-163315 this is all very valid paranoia. of course RIM is going to say it's secure, but there's really no telling what the agencies are capable of. there aren't a lot of organizations other than the intelligence orgs that hire entire departments of people just to figure out how to bust encryption. and yes, Boeing and Airbus are both considered vital to the national security of the US and France, respectively. this is all very valid paranoia. of course RIM is going to say it’s secure, but there’s really no telling what the agencies are capable of. there aren’t a lot of organizations other than the intelligence orgs that hire entire departments of people just to figure out how to bust encryption.
and yes, Boeing and Airbus are both considered vital to the national security of the US and France, respectively.

]]> http://defensetech.org/2007/06/21/france-fears-blackberry-snooping-by-u-s/comment-page-1/#comment-62409 Hoax Meister Thu, 21 Jun 2007 12:56:59 +0000 http://deftech.usmilblog.com/?p=3575#comment-62409 Of course the NSA reads Blackberry email. And of course this information is disseminated from NSA to Dept of Commerce to Boeing. Keeping Boeing going is viewed as a vital national security interest. Of course the NSA reads Blackberry email. And of course this information is disseminated from NSA to Dept of Commerce to Boeing.
Keeping Boeing going is viewed as a vital national security interest.

]]> http://defensetech.org/2007/06/21/france-fears-blackberry-snooping-by-u-s/comment-page-1/#comment-163314 Nicholas Weaver Thu, 21 Jun 2007 12:42:28 +0000 http://deftech.usmilblog.com/?p=3575#comment-163314 I suspect RIM is, ummm, playing fast and loose with the truth. The central server to blackberry communication may be nicely encrypted, but they probably have CALEA hooks or similar. Worse, if the mail TO the central server is sent through SMTP, well, thats all in the clear. So yeah, NSA can have serious fun with that. I suspect RIM is, ummm, playing fast and loose with the truth.
The central server to blackberry communication may be nicely encrypted, but they probably have CALEA hooks or similar.
Worse, if the mail TO the central server is sent through SMTP, well, thats all in the clear. So yeah, NSA can have serious fun with that.

]]>