Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

RIM Agrees To Hand Over Its Encryption Keys To India

samzenpus posted more than 2 years ago | from the lets-see-what-you-got-there dept.

Blackberry 164

An anonymous reader writes "BlackBerry maker Research in Motion's (RIM) four-year standoff with the Indian government over providing encryption keys for its secure corporate emails and popular messenger services is finally set to end. RIM recently demonstrated a solution that can intercept messages and emails exchanged between BlackBerry handsets, and make these encrypted communications available in a readable format to Indian security agencies. An amicable solution over the monitoring issue is important for the Canadian smartphone maker since India is one of the few bright spots for the company that has been battling falling sales in its primary markets of the US and Europe. In India, RIM has tripled its customer base close to 5 million over the last two years,"

cancel ×

164 comments

Sorry! There are no comments related to the filter you selected.

Yes but this won't help (5, Insightful)

Sir_Sri (199544) | more than 2 years ago | (#40863177)

Part of the appeal of RIM was that you knew governments weren't out there stealing secrets sent across your network. I understand that India has a legitimate security need to be able to wiretap communications and so on. But this isn't going to 'help' RIM. This takes away the only major competitive advantage they had, which was that using RIM meant you knew no one in the indian government was going to steal your work and sell it to someone else (which is a serious concern in india).

If anything, this just levels the playing field. And that's bad for RIM, because they aren't competitive.

Re:Yes but this won't help (5, Insightful)

Moblaster (521614) | more than 2 years ago | (#40863237)

It's pretty clear what happened. They kept the keys secret and held out for a long time on "principle" because that was the best business decision at the time. Then, as the onslaught of iPhone and Android took its toll, the principle changed to survival, because that became the new best business decision.

It's sad, but at this point, it hardly affects any country but India anyway!

Re:Yes but this won't help (2)

Sir_Sri (199544) | more than 2 years ago | (#40863303)

And in most other countries you aren't worried about the government stealing and reselling most of your secrets anyway. At least not your own government.

Re:Yes but this won't help (0)

Anonymous Coward | more than 2 years ago | (#40863343)

Let's be real, they've just made it easier. Encryption is crackable, it just depends how much time & effort (and $$$) you want to spend on it.

But this is India we are talking about (1)

Taco Cowboy (5327) | more than 2 years ago | (#40863543)

Encryption is crackable

 
True, encryption _CAN_ be cracked, by hook or by crook
 
If it's USA, with its seemingly unlimited resources (NSA and the like always get a blank check from the congress for whatever black programs they initiate), I would agree with you.
 
But you almost forgot one thing, this is INDIA we are talking about - a nation which nearly 30% of its population still living below one dollar a day level
 

Re:But this is India we are talking about (3, Funny)

JoeMerchant (803320) | more than 2 years ago | (#40863933)

Encryption is crackable

True, encryption _CAN_ be cracked, by hook or by crook

Are you talking about this [xkcd.com] form of cracking? Because, with a sufficiently long secret key, it is proven [wikipedia.org] impossible to break.

I like using long period [hiroshima-u.ac.jp] PRNGs to make an effective one-time pad. How you initialize the PRNG is your key.

Re:But this is India we are talking about (1)

compro01 (777531) | more than 2 years ago | (#40863983)

In other words, you use a stream cipher.

Re:But this is India we are talking about (2)

JoeMerchant (803320) | more than 2 years ago | (#40864789)

Yes, and brute forcing the stream cipher key can take a very long time.

2^19937 is a big number.

Re:Yes but this won't help (4, Insightful)

Prune (557140) | more than 2 years ago | (#40864727)

They only have the keys to the non-business service. Corporate users deploying Blackberry Enterprise Server create their own key pairs when registering each handset with the company's BES server, and so control the encryption end-to-end. There are no third parties with access to these keys, making this far more secure than SSL, for example. The article is FUD.

Re:Yes but this won't help (5, Informative)

narcc (412956) | more than 2 years ago | (#40863317)

As has been pointed out over and over again, This Does Not Affect BES Users.

Everyone else is just as insecure as they always were. If you want security in India, RIM is still your only real choice.

More details here [crackberry.com]

Re: Not BES, and only India (3, Interesting)

gnoshi (314933) | more than 2 years ago | (#40863431)

And it is probably also worth pointing out that this means that RIM's BIS service provides better content protection than SMS/MMS, unencrypted email (which is virtually all e-mail, and indeed all Android phones using the inbuilt GMail app), and almost any IM out there. I've also missed other equally unprotected means of communication.

Why? Because at least BIS is encrypted in transit to and from RIM. (To be fair, services like MSN Messenger in which all messages go through a central server could be considered more secure than BIS communications, as long as both clients are connecting to the server via SSL).
Hell, even BB PIN-to-PIN messaging is more secure than many or most of the aforementioned modes of communication.Yes, the key used for encryption is present on each and every handset - but random MITM sniffer can't get the content without at least having to decrypt it.

Sure, an Android user could get TextSecure for encrypted SMS, but does anyone actually know anyone who USES this tool?

Re: Not BES, and only India (1)

Mr. X (17716) | more than 2 years ago | (#40863835)

Are you saying that email sent via the Android GMail app isn't encrypted between the device and Google's servers? I can't believe that would be the case, since they made a big deal about forcing people onto SSL for web access to GMail quite a while ago.

Re: Not BES, and only India (3, Insightful)

Anonymous Coward | more than 2 years ago | (#40863867)

Are you saying you trust your smart phone to have only real, valid intermediate ssl certificates? Or are you so ignorant to think that governments aren't trying to man-in-the-middle SSL like crazy, especially on mobile networks.

Re: Not BES, and only India (1)

Anonymous Coward | more than 2 years ago | (#40863885)

They don't need MITM; they have the CA private keys.

Re: Not BES, and only India (1)

Fjandr (66656) | more than 2 years ago | (#40864577)

Won't matter once CALEA is amended to include non-voice public networks. It'll happen eventually.

This isn't to say I support the extension; I think those proposing it should be shot. That doesn't change the reality that it will eventually be enacted, whether it requires sneaking it into a broad authorization bill or actually getting the support to pass it on its own.

Re: Not BES, and only India (0)

Anonymous Coward | more than 2 years ago | (#40863939)

Are you saying that email sent via the Android GMail app isn't encrypted between the device and Google's servers?

Of course it is. But the govt of India could easily force a local certificate authority to issue a fake ssl certificate for MITM snooping, or the govt of India could just ask Google to hand over the data (and Google will).

That is part of the beauty of the Blackberry Enterprise Server platform - RIM does not have the decryption keys, so if the a govt comes with a court order, there is nothing for RIM to hand over.

Re: Not BES, and only India (1)

Stewie241 (1035724) | more than 2 years ago | (#40864263)

Sure, BES has that advantage. GP was responding to "unencrypted email (which is virtually all e-mail, and indeed all Android phones using the inbuilt GMail app), and almost any IM out there. I've also missed other equally unprotected means of communication. Why? Because at least BIS is encrypted in transit to and from RIM"

i.e. he was refuting the statement that Android phones send email unencrypted. This isn't true. Email is encrypted on the route to Google's servers. What happens from there is dependent on the eventual destination. This is the same standard that BIS meets, right?

Re: Not BES, and only India (2)

gnoshi (314933) | more than 2 years ago | (#40864797)

Are you saying that email sent via the Android GMail app isn't encrypted between the device and Google's servers?

No, I'm not saying that GMail for Android (or via a browser, or iPhone) doesn't use SSL. However, GMail is an e-mail service using a client (on Android) which doesn't have support for encryption apart from SSL to the server. Sure, if I'm sending GMail to GMail that's fine - it falls into the same boat as MSN Messenger. If I'm sending to a non-GMail recipient, then that goes out the window.

There are other apps which can use GMail, and do provide encryption functionality, but as with TextSecure - how common is their use (with encryption)?

Who does it effect? (1, Insightful)

jago25_98 (566531) | more than 2 years ago | (#40863649)

I think we need to make clearer what exactly the impact of this is.

Does an Indian businessman who bought a Blackberry in SouthAmerica and is working in Europe be assured on some level of privacy on communications?

Does an American businessman with a Blackberry bought in the USA visiting India on the way to China need to rethink how company documents are transmitted?

Not very clear, especially as the BIS keys can't and therefore haven't been handed over.

So we have a new server in India, but what is being routed through it?

Re:Who does it effect? (0)

Anonymous Coward | more than 2 years ago | (#40863893)

Does an Indian businessman who bought a Blackberry in SouthAmerica and is working in Europe be assured on some level of privacy on communications?

Are they in India? Do the Indian authorities have a reasonable argument for jurisdiction? From what you've said, no, they don't.

Does an American businessman with a Blackberry bought in the USA visiting India on the way to China need to rethink how company documents are transmitted?

Do you think for a second that the US government would be comfortable with running entire wings of their government on BlackBerry if this was the an issue?

Re:Who does it effect? (3, Informative)

epiphani (254981) | more than 2 years ago | (#40864005)

My god these posts are annoying.

Does an Indian businessman who bought a Blackberry...

Does an American businessman with a Blackberry...

Do they have a BES? If they have a BES, nothing to worry about. Next question?

Re:Who does it effect? (0)

Anonymous Coward | more than 2 years ago | (#40864057)

If you are an American businessman with a North American phone & carrier & BIS account, your BIS account goes through an entirely different data center than the one an Indian user's data goes through, ditto for China. Your payment to the carrier to have signal (roaming charges or whatever) would be your own problem of course, but there are several 'world phone' options that would work seamlessly.

Now if you buy a new SIM while you are in Indian that uses a local carrier, and you have to add your email accounts to it, that would be a phone using the Indian data center. . .

Re:Who does it effect? (0)

Anonymous Coward | more than 2 years ago | (#40864363)

When a Brit going from point A to point B by a plane within his/her country, or an Indian sending money from South America to India, or an Australian calling home from the US (or even Canada) are sure that our TLA don't know about it, the persons you mention can also be assured of privacy. Assuming or expecting or demanding privacy from other Governments while we let our government demand an collect all sorts of information about foreigners (and us too) is naive at best but normally arrogance.

Re:Yes but this won't help (1)

Sir_Sri (199544) | more than 2 years ago | (#40864875)

This Does Not Affect BES Users.

No, being within india they are already subject to indian laws, and already have to hand over any enterprise keys they have stored within india if they're 'asked'.

If you're running your BES from outside the country then you might have a temporary reprieve, until the indian government gets wind of that plan.

Why hand over the keys themselves??? (0)

Anonymous Coward | more than 2 years ago | (#40863611)

Even if the keys just decrypt indian blackberries (not sure do they just do indian bbs?) why hand them the keys so they can decrypt
everything by themselves? Why not make them ask, possibly on a self-service site for what they
want decrypted? And why not charge them a fee for it as well as many cell phone companies
charge fees for wiretaps? Sure theyre not going to like it as the question is often as interesting as the
answer in intel but who the hell are these indian fucks anyway, why should they not have to "share" what
theyre interested in with us intelligence?? I'm sure if they knew every request they make is made known
to other agencies, they would think twice about asking for things.

Re:Yes but this won't help (2)

thePowerOfGrayskull (905905) | more than 2 years ago | (#40864039)

As others have pointed out, this doesn't affect BES - they're as secure as ever in the enterprise.

Thing is, they've always given this level of access to governments (or we reasonably assume this is the case, anyway) for their BIS service The difference is officials in India needed to save face and made a big deal out of this - even though they're getting only what they were told they could get from the start, and certainly no more than any other government.

Re:Yes but this won't help (0)

EdIII (1114411) | more than 2 years ago | (#40864143)

I understand that India has a legitimate security need to be able to wiretap communications and so on.

No it doesn't. There is never a legitimate need to tear away freedoms in exchange for questionable gains in security. Ever.

Sorry to be pedantic, but we should never give any such behavior by a government any legitimacy at all.

Re:Yes but this won't help (2)

Sir_Sri (199544) | more than 2 years ago | (#40864893)

Sorry to be pedantic

You're not being pedantic, you're living in a fantasy land. This isn't a legal treatise on just what should be the requisite standard for a wiretap, because that depends in large part on the details of the existing legal system. Wiretap rules in france and the US can be completely different but both reasonable. India has both the authority and a legitimate need to be able to wiretap communications in their own country. Suggesting they can't is wearing a tinfoil hat because you think they have satellites spying on you. Which sometimes they do.

Re:Yes but this won't help (1)

DaMattster (977781) | more than 2 years ago | (#40864271)

No, there is no legitimate need to wire tap without any kind of warrant. India calls itself the largest democracy and it behaves in an authoritarian manner.

Re:Yes but this won't help (2)

AK Marc (707885) | more than 2 years ago | (#40864325)

If the people vote for authoritarian, does that make it non-democratic?

Re:Yes but this won't help (1)

Sir_Sri (199544) | more than 2 years ago | (#40864903)

No, there is no legitimate need to wire tap without any kind of warrant

I didn't talk about the requirements. Because 'requiring a warrant' is stupid. It's not stupid in the US legal system, but that doesn't mean that's appropriate for india, or oman, or the emirates or whatever. India has it's own legal system, it's up to them to decide what is or is not a sufficient condition for wiretapping, and that's a separate discussion.

What BS!!! (0)

bayankaran (446245) | more than 2 years ago | (#40864603)

This takes away the only major competitive advantage they had, which was that using RIM meant you knew no one in the indian government was going to steal your work and sell it to someone else (which is a serious concern in india).

Either you don't live in India or you have no idea about India.
Indian government needs the keys for its own stupid "war against terror". I am yet to hear Indian government or government agencies stealing corporate secrets / reverse engineering / trade secrets.
India is not China if thats what you imply. And the Chinese is doing what the Western civilization did 50 or 100 years ago.

Re:What BS!!! (1)

Sir_Sri (199544) | more than 2 years ago | (#40864879)

I wouldn't even trust my uncles and cousins who work in pharmaceuticals oversight. In india.

And yes, china is far worse because the theft is state sponsored. India it's not state sponsored, it's more at the level of corporate espionage, and there's bugger all you can do about it.

Re:Yes but this won't help (3, Informative)

Prune (557140) | more than 2 years ago | (#40864719)

The article is misleading. The corporate service using Blackberry Enterprise Server has not been compromised because the encryption keys are controlled by the company deploying BES end-to-end. The company's IT generates the encryption key pairs when adding new handsets to the server. What's discussed only affects specific messaging over the non-business Blackberry service BIS.

Re:Yes but this won't help (1)

Sir_Sri (199544) | more than 2 years ago | (#40864883)

Businesses in india will already be subject to indian laws though. RIM isn't subject to indian law, that's why they've been able to squabble over this as long as they have.

Re:Yes but this won't help (1)

Impy the Impiuos Imp (442658) | more than 2 years ago | (#40864887)

It's bad enough we have crap like the secret AT&T room for the NSA which filters all phone calls through it -- the government isn't monitoring opposing party's calls, trust us.

A country like India, which is still largely the desired place for college students to work -- so they can rise up and start demanding kickbacks. (Don't mod me down as a troll -- mod down the multiple Indian computer programmers who told me this was how it is.)

Not the greatest environment to feel secure your secrets aren't being sold off to the highest bidders.

Sell now (0, Flamebait)

isopropanol (1936936) | more than 2 years ago | (#40863179)

Too late to short the stock. There went any remaining perception that there was any reason to choose Blackberry over an ActiveSync or IMAP capable device.

Re:Sell now (1)

ceoyoyo (59147) | more than 2 years ago | (#40863515)

It seems to me VPN or IMAP over SSL has all the advantages of BB without the risk they'll sell you out. And has for some time.

Re:Sell now (0)

Anonymous Coward | more than 2 years ago | (#40864103)

What we need is a completely free phone. From the modem on up and a one way paging system that can only receive information and works on a huge scale. I know this doesn't exist today although that is still something we need. Instead of receiving a call we should be receiving a millions of tiny codes. If your device receives your code it turns the modem on and connects to a waiting caller whom is on hold. This way you don't have to worry about governments tracking your every move. You also don't have to worry about back doors. You can also then implement a proper security system which does not rely on any company for security. Or there are multiple operators (think VPN + voip so that the cellular provider has not control).

Re:Sell now (4, Insightful)

bill_mcgonigle (4333) | more than 2 years ago | (#40864471)

It seems to me VPN or IMAP over SSL has all the advantages of BB without the risk they'll sell you out. And has for some time.

yeah, I was pointing this out to clients as early as 2004. I had a working IMAPS client on a Treo 650 at the time. They wanted Outlook integration over security (despite always talking about their multi-billion-dollar IP that had to be protected at all costs). Lesson learned: most people don't care about security, they just say they do.
 

Re:Sell now (1)

Anonymous Coward | more than 2 years ago | (#40864769)

Lesson learned: most people don't care about security, they just say they do.

Just like when a woman says she wants a "nice guy", then dates ten douches in a row that abuse the fuck out of her, all the while her bitching about the douches to a nice guy who she coincidentally isn't at all interested in.

Moral of the story: Corporations are full of the crazy!

(Apologies in advance to my opposite gender. Just got a call while reading this article from just such a person whom (I thought) I got over a decade ago... Clearly I was mistaken) :/

Re:Sell now (0)

Anonymous Coward | more than 2 years ago | (#40863795)

Too late to short the stock. There went any remaining perception that there was any reason to choose Blackberry over an ActiveSync or IMAP capable device.

Except, if you bothered to actually investigate the matter, it wasn't true.

Re:Sell now (0)

Anonymous Coward | more than 2 years ago | (#40863919)

ActiveSync

If you're using ActiveSync, you could probably just as easily use BES or BESExpress (FREE!) - both of which would prevent the Indian government from snooping on your stuff.

Re:Sell now (1)

JoeMerchant (803320) | more than 2 years ago | (#40863965)

I have noticed that news-reaction stock market swings are more responsive to the general public's perception of a news item than they are to the opinions of technical people who may, or may not, have a better grasp of the future business implications of a piece of news.

In other words, betting opposite of the sentiment you read on /. is likely to bring you better than average returns.

Re:Sell now (4, Informative)

LordLimecat (1103839) | more than 2 years ago | (#40863967)

I hope you arent in a position where you advise anyone on IT.

Active Sync's security is in LARGE part dependent on the security of SSL. For a HUGE number of organizations, those SSL keys are self-signed, which provides about the same security of WEP. All that is needed to break in is to somehow get the device to reach out to your server, and then have your server present a similar self-signed cert. Even if you are using a "proper" cert, you can be "easily" bugged by a government, since a large number of governments are considered trusted root authorities (including China); this means they can generate their own certificate, claim to be your Exchange CAS, and your device will happily talk back and forth with it. Presumably at that point your device would authenticate to that rogue server; Im not clear in what form the credentials would be sent, but we're already into "danger" territory.

On the flip side, with a proper BES (which is NOT what is being discussed in TFA), SSL simply isnt in the loop. All communications are relayed through RIM, but the encryption keys (up to AES-256) are held completely internally. I believe (though I could be wrong) that each device has its own key which is derived from the master key, so under the absolute worst conditions someone could sieze a blackberry and -- shockingly-- have access to that user's email. But of course, they'd have to get around the in-memory encryption and flash encryption that a security-sensitive organization would obviously have enforced on their blackberries.

At the end of the day, if absolute security is a necessity, you probably dont want your employees running around with smartphones, but if you do, youre using Blackberry / BES because there STILL isnt a good competitor in that range. Plus, if we're completely honest, most androids are touchscreen, and touchscreen devices simply arent as good at fulfilling the role of business communication device. They have other perks, but from personal experience I can say that they are a massive letdown when it comes to email and phone.

Re:Sell now (2)

LordLimecat (1103839) | more than 2 years ago | (#40863979)

PS, if you think IMAP is a serious competitor to what a BES does, you are even more in the dark than I originally thought.

Re:Sell now (1)

isopropanol (1936936) | more than 2 years ago | (#40864555)

Setting up a private CA and removing default CAs != self-signed cert. SSL can be set up securely.

Re:Sell now (0)

Anonymous Coward | more than 2 years ago | (#40864827)

All that is needed to break in is to somehow get the device to reach out to your server, and then have your server present a similar self-signed cert.

And if the malicious server presents a cert signed by Verisign then you're in the same position; the device will trust it implicitly if the CA's root cert is in its store and will happily connect to myc0mpany.com instead of mycompany.com.

That's not a problem with self-signed certs, that's a problem with SSL

RIM's private keys (0)

whoever57 (658626) | more than 2 years ago | (#40863187)

So, basically, RIM is handing over its own private keys, with corresponding public keys built into all Blackberries, worldwide, to a government agency.

Why don't they just do it the simple way and post their private keys on their website?

Re:RIM's private keys (2)

radiumsoup (741987) | more than 2 years ago | (#40863257)

give it a few days and someone will do it for them.

Did any of you yahoos bother to read the article? (2, Informative)

Anonymous Coward | more than 2 years ago | (#40863395)

"RIM recently demonstrated a solution developed by a firm called Verint that can intercept messages and emails exchanged between BlackBerry handsets, and make these encrypted communications available in a readable format to Indian security agencies..."

Re:RIM's private keys (4, Insightful)

LordLimecat (1103839) | more than 2 years ago | (#40863995)

Once again. For the last time....
RIM does NOT have the encryption keys used by BES servers. Those keys are held internally by businesses only, and those are then used (along with "random" data) to generate the device keys. Even if RIM somehow had the organization's master key, they wouldnt have access to the "random" data that was used to derive the device key (which is pulled from that "wiggle your mouse around for a while" procedure).

In other words, BES servers continue as unaffected as before. Call me when India figures out how to large-scale crack AES256 with unknown keys.

Nothing like giving in... (3, Funny)

theNAM666 (179776) | more than 2 years ago | (#40863191)

... to a democratically elected government...

Re:Nothing like giving in... (1)

Sir_Sri (199544) | more than 2 years ago | (#40863249)

The government in india is democratic, but that doesn't make it any less corrupt to the bone. I wouldn't trust anyone in the indian government with my business secrets. Including my own relatives (who are in the civil service).

India is fully entitled to demand wiretap access. Democratic or not. But the whole reason to choose RIM over a competitor in india was precisely because the government couldn't get into the system, because you can't trust people in government to not just steal your secrets and sell them.

Re:Nothing like giving in... (2, Informative)

Anonymous Coward | more than 2 years ago | (#40863643)

India's corruption puts any Western government to shame. Want to get anything done? You WILL pay a bribe, and a good one at that, down to the "untouchable" cleaning out poop out of the sewer.

The caste system still stays there, same with the attitude of helping people is considered bad juju since it interferes with their divine punishment.

Also remember: India isn't a friend to the West. During the Cold War, they were doing their best to cozy up to the Russians, and were willing to do almost anything for them.

India demanding keys from RIM is no surprise. I'm sure that any US or European messages in that region will wind up in the hands of them, or their Chinese buds.

Makes you want to trust the broken CA system in SSL/TLS. At least you can possibly dump all other CAs and use your own root certs with have your own trust, as opposed to RIM's "trust us, or buy a new device". Oh... run a BES backend... sure. Like anyone bothers with that.

Re:Nothing like giving in... (1)

MightyMartian (840721) | more than 2 years ago | (#40863297)

To a very corrupt democratically elected government. The keys will be in the hands of Russian mobsters in a few days.

Re:Nothing like giving in... (1)

theNAM666 (179776) | more than 2 years ago | (#40863357)

Evidently I should have enclosed the above in tags.

Re:Nothing like giving in... (1)

theNAM666 (179776) | more than 2 years ago | (#40863363)

*sarcasm* tags. (original filtered out by /. darn editing software)

Re:Nothing like giving in... (1)

Desler (1608317) | more than 2 years ago | (#40863397)

Then you did it wrong. <sarcasm></sarcasm>

Re:Nothing like giving in... (1)

Opportunist (166417) | more than 2 years ago | (#40863351)

Democratically elected doesn't mean jack anymore, if it ever did. Do you know any democratic government that's not for sale to the highest bidder?

Re:Nothing like giving in... (1)

theNAM666 (179776) | more than 2 years ago | (#40863387)

/me evidently thought that *sarcasm* tags were not necessary for this audience. Don't know why...

Re:Nothing like giving in... (-1)

dreamlitongxi (2699485) | more than 2 years ago | (#40863869)

Sales rolex replica, High-quality replica rolex watches,Top brand watches,all luxury watches for sale cheap and cheapest only $59 ,Buy cheap watches online at http://www.replicawatches007.com/ [replicawatches007.com]

Re:Nothing like giving in... (1)

Cosgrach (1737088) | more than 2 years ago | (#40863951)

Most of the people here on /. would no know sarcasm if it were to bite them on the ass.

Re:Nothing like giving in... (1)

theNAM666 (179776) | more than 2 years ago | (#40864367)

Perhaps we could arrange for them to be electrically shocked while it bit them on the arse, and simultaneously, offer the smell of raw steak.

Re:Nothing like giving in... (3, Funny)

AK Marc (707885) | more than 2 years ago | (#40864351)

Sarchasm. The gap between you and the joke.

Sargasm. When your joke makes you laugh a little too hard.

Actually not quite? (1)

Anonymous Coward | more than 2 years ago | (#40863227)

According to this article in The Register: http://tinyurl.com/d2zllzk - they don't have the keys to hand over

So how long? (0)

Anonymous Coward | more than 2 years ago | (#40863245)

till these keys get leaked?

As if people needed another reason to jump off of RIM.

Not quite the full story... (4, Informative)

Shabbs (11692) | more than 2 years ago | (#40863269)

Please, the BES keys have not been handed over... because they can't be...

http://crackberry.com/rim-encryption-keys [crackberry.com]

BIS != BES.

Re:Not quite the full story... (1)

sphealey (2855) | more than 2 years ago | (#40863457)

"I did not steal the stocks or the bonds"

_Tales of the Black Widowers_, Isaac Asimov

Re:Not quite the full story... (1)

Prune (557140) | more than 2 years ago | (#40864699)

I don't get it. Care to clarify?

Re:Not quite the full story... (1)

whoever57 (658626) | more than 2 years ago | (#40863615)

Please, the BES keys have not been handed over... because they can't be...

I don't know how BBs work, so this is pure speculation, but when connecting to a BES server, does the device require a specific key that is tied to that server, or merely any valid key? If the latter, then a man-in-the middle system could allow connections to BES servers to be spied upon.

Re:Not quite the full story... (3, Informative)

Shabbs (11692) | more than 2 years ago | (#40863685)

It needs a specific key. A BES connection is secured by a key-pair that is generated when the BlackBerry is added to the BES. This allows for the 3DES encryption to occur for all communications over the BES connection.

The situation you're talking about applies to BIS where any handset can decrypt the encrypted messages.

This mis-understanding of the differences between BIS and BES lead to a lot of FUD unfortunately.

And you know Apple is keeping an eye on this... cuz India will be coming after them too for access to their iMessage comms, if they have not already done so.

Re:Not quite the full story... (1)

LordLimecat (1103839) | more than 2 years ago | (#40864021)

Note that BES servers by default use 3DES and (i think?) MD5, but can with the click of a button be transitioned to AES / SHA.

Re:Not quite the full story... (0)

Anonymous Coward | more than 2 years ago | (#40864149)

Note that BES servers by default use 3DES and (i think?) MD5, but can with the click of a button be transitioned to AES / SHA.

False.

Out of the box a BES is configured to support both AES and 3DES, and will default to the strongest available (AES) if the handheld supports AES (ie, the blackberry is less than 10 years old).

Why? A long, long time ago, there were some blackberry handhelds that only supported 3DES, and they could still work today.

But these days 3DES is never used, unless the BES admin does something stupid like disable AES entirely.

Re:Not quite the full story... (0)

Anonymous Coward | more than 2 years ago | (#40864035)

And you know Apple is keeping an eye on this... cuz India will be coming after them too for access to their iMessage comms, if they have not already done so.

Interesting that RIM has been in the news for this. Android and Apple have not. Hmm....

Re:Not quite the full story... (1)

Prune (557140) | more than 2 years ago | (#40864691)

BES has been using AES by default for many years, and will only use 3DES for decade-old handsets that don't support AES.

Re:Not quite the full story... (0)

Anonymous Coward | more than 2 years ago | (#40864101)

BIS, BES, doesn't matter in my book.

That RIM gave in (and that India demanded) at all is still BS.

Moral of the story (4, Insightful)

characterZer0 (138196) | more than 2 years ago | (#40863289)

Moral of the story: If you do not control end-to-end encryption yourself, it is not secure.

Re:Moral of the story (4, Insightful)

Opportunist (166417) | more than 2 years ago | (#40863375)

In this case you don't even control ANY part of the encryption, not even on your end. Something that is the absolute bare minimum for any kind of security.

Re:Moral of the story (2)

Lehk228 (705449) | more than 2 years ago | (#40863729)

if you want to control end to end get a BES

Re:Moral of the story (0)

Anonymous Coward | more than 2 years ago | (#40863925)

if you want to control end to end get a BES

Oh ffs think. What if you are sending messages to someone on bis?

Rim just fucked itself

Re:Moral of the story (1)

JoeMerchant (803320) | more than 2 years ago | (#40863977)

Moral of the story: If you do not control end-to-end encryption yourself, it is not secure.

This ^ period.

Re:Moral of the story (0)

Anonymous Coward | more than 2 years ago | (#40864009)

Anyone who uses "This" with an arrow is gay.

Re:Moral of the story (1)

psiclops (1011105) | more than 2 years ago | (#40864311)

This ^.

I'm glad i'm not the only one that gets annoyed by that.

Re:Moral of the story (0)

Anonymous Coward | more than 2 years ago | (#40864401)

^ This ^

Re:Moral of the story (1)

Prune (557140) | more than 2 years ago | (#40864675)

Except there's no story here, as BES, the service that corporate Blackberry deployments use, _is_ end to end--the encryption key pairs are generated by the company that deploys a BES installation, and neither RIM nor anyone else has access to them, unlike SSL certificates etc. The article is about the consumer BIS service and doesn't affect enterprise.

Sheesh (-1)

epp_b (944299) | more than 2 years ago | (#40863319)

As if there wasn't already enough reason not to buy a BlackBerry?

Quite a RIMjob... (0)

Anonymous Coward | more than 2 years ago | (#40863391)

Which will take down the rest of the RIM jobs at the end (to end crypto :)

It's OK... (4, Funny)

tlambert (566799) | more than 2 years ago | (#40863501)

Half the country has been unable to recharge their Blackberries for two days in a row anyway.

Saving Face (5, Informative)

Anonymous Coward | more than 2 years ago | (#40863693)

from the fine article:

"But he said there was no access to secure encrypted BlackBerry enterprise communications or corporate emails as these were accessible only to the owners of these services."

The reality is BES uses keys assigned by the owner of the BES server, RIM HAS NOT and CAN NOT give those to anyone, because they dont know them. This has been RIM's position from the begining, and still is. What they HAVE done is give access to the messaging services they run (and therefor have keys to) to the Indian authorities. My understanding is that this was always the case. The article really does not make the distinction between the two clear.

TLDNR: RIM gave what they always give anyone, some minister is useing it to try and save face. Poor reporting means it worked.

Re:Saving Face (1)

Prune (557140) | more than 2 years ago | (#40864687)

Indeed. And even for messaging, if you're using BES, then you can use your own keys for PIN-to-PIN messaging and then it's fully secure. This article is mostly FUD.

Shopping-online for Swiss watch, High-quality Repl (-1, Offtopic)

dreamlitongxi (2699485) | more than 2 years ago | (#40863859)

Sales rolex replica, High-quality replica rolex watches,Top brand watches,all luxury watches for sale cheap and cheapest only $59 ,Buy cheap watches online at http://www.replicawatches007.com/ [replicawatches007.com]

My name is Patel, and I read all your email ! (0)

Anonymous Coward | more than 2 years ago | (#40864043)

If this isn't the final nail in the coffin for RIM, I don't know what is.

Any company that would do this deserves to go under.

Nortel ? Meet your new room mate, Mr. RIM. He had a
good run for a while but now he is wondering where his
next meal is coming from ...

Is there any point? (0)

apcullen (2504324) | more than 2 years ago | (#40864059)

What's the point of paying extra for blackberry service if it's not secure? Isn't that what people have been paying for?

Indiatimes = World Weekly News. (0)

Anonymous Coward | more than 2 years ago | (#40864061)

Seriously, WHAT fucking non-existent encryption keys? This paper regularly publishes stories in its "science" section that assume that the existence of UFOs, ESP, aliens and time travel are established proven facts in no doubt to anyone.

Already Debunked by RIM (4, Informative)

_DangerousDwarf (210835) | more than 2 years ago | (#40864293)

From the Globe and Mail [theglobeandmail.com]

"Although not all of a BlackBerry's messaging functions are encrypted, RIM has long maintained that it is unable to grant anyone access to its corporate e-mail service, which is encrypted from end-to-end. RIM responded in a statement late on Wednesday, saying it was necessary "to correct some false and misleading" information" that had appeared in the Indian media."

"RIM is providing an appropriate lawful access solution that enables India's telecom operators to be legally compliant with respect to their BlackBerry consumer traffic, to the same degree as other smartphone providers in India, but this does not extend to secure BlackBerry enterprise communications," the company added."

B'bye RIM (1)

Crypto Cavedweller (2611959) | more than 2 years ago | (#40864331)

Any system that isn't designed to be secure against EVERYONE is secure against NO ONE. You're throwing away the enterprise business with both hands to the people that don't intentionally cripple their security, RIM ... and you'll deserve the results.

And *pof* (1)

Z00L00K (682162) | more than 2 years ago | (#40864647)

There goes the customers to some other solution that can't be eavesdropped.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>