Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Blackberry 10 Sends Full Email Account Credentials To RIM

timothy posted about a year ago | from the good-job-rim dept.

Blackberry 191

vikingpower writes "How a phone manufacturer making a somewhat successful come-back can shoot itself in the foot: Marc "van Hauser" Heuse, who works for German technology magazine Heise, has discovered that immediately after setting up an email account on Blackberry 10 OS, full credentials for that account are sent to Research In Motion, the Canadian Blackberry manufacturer. Shortly after performing the set-up, the first successful connections from a server located within the RIM domain appear in the mail server's logs. (Most of the story in English, some comments in German.) At least according to German law, this is completely illegal, as the phone's user does not get a single indication or notice of what is being done." (Here's Heise's article, in German.)

Sorry! There are no comments related to the filter you selected.

What person thinks this is OK? (4, Insightful)

Anonymous Coward | about a year ago | (#44316799)

There is an engineer, somewhere within this organization, that thinks this is a good idea. I, the important person (due to my stack of dollar bills), will never purchase such a device.

Re:What person thinks this is OK? (4, Insightful)

Anonymous Coward | about a year ago | (#44316943)

Rule of thumb for corporation ethics: If you have to ask the legal department if something is OK then it is still unethical and consumer unfriendly.

Or the catchier version: If you can't tell if something is legal without asking a lawyer then your customers can't do it either.

Re:What person thinks this is OK? (2)

gl4ss (559668) | about a year ago | (#44317007)

and if you have to ask the legal department it's probably illegal in principle anyways... and you know it and are asking for CYA.

Re:What person thinks this is OK? (1)

Iniamyen (2440798) | about a year ago | (#44317961)

Rule of thumb for corporation ethics: If you have to ask the legal department if something is OK then it is still unethical and consumer unfriendly.

Or the catchier version: If you can't tell if something is legal without asking a lawyer then your customers can't do it either.

Corollary: If you don't think you have to consult the legal department, it's A-OK!

Re:What person thinks this is OK? (5, Informative)

pla (258480) | about a year ago | (#44316945)

What person thinks this is OK?

Every single non-technical person in the company, who have no clue whatsoever about the implications of this, don't care about all your "paranoid theories", and "just want the damned thing to work!"

The same people who give their email address to every popup ad that asks for it and then bitch to IT about all the spam they get. And then bitch about all the still-spam-but-of-interest-to-them they stop getting when you turn up the filters on their account. And then bitch about having to remember yet another password when you give them access to manage their own spam filter settings and can't you just be a dear and go in every morning and manually delete the spam they don't want but let the spam they do want through?

Re:What person thinks this is OK? (5, Informative)

Lunix Nutcase (1092239) | about a year ago | (#44317001)

Protip: This is the way BIS has always worked. A post explaining this from four years ago... [crackberry.com] Heise is way behind the times if they've only just now discovered that this is how BlackBerry email works.

Re:What person thinks this is OK? (2)

h4rr4r (612664) | about a year ago | (#44317043)

And it was not much better then.

The first time I saw that I knew I was not getting a blackberry. That was/is a security nightmare.

At least with IMAP over SSL I can be reasonably sure not too many folks are reading my email.

Re:What person thinks this is OK? (1)

ArsenneLupin (766289) | about a year ago | (#44317239)

At least with IMAP over SSL I can be reasonably sure not too many folks are reading my email.

Still depends on how RIM's infrastructure is set up, whether they actually validate the certificates of the mail servers they connect to.

If not, the passwords are still within the NSA's reach.

Theoretically, anybody with a blackberry should be able to test this by setting up a mail server with a deliberately bad certificate: if Blackberry can still log in, it means that it doesn't check the certificate!

Re:What person thinks this is OK? (1)

fustakrakich (1673220) | about a year ago | (#44317317)

...the passwords are still within the NSA's reach.

Can you name anything that isn't?

Re:What person thinks this is OK? (1)

jkflying (2190798) | about a year ago | (#44317469)

That doesn't say anything, if the NSA was doing MITM they'd probably bounce the bad cert to make it look like everything was fine.

Re:What person thinks this is OK? (2, Insightful)

Anonymous Coward | about a year ago | (#44317333)

The first time I saw that I knew I was not getting a blackberry. That was/is a security nightmare.

That's why RIM offers BlackBerry Enterprise Server. If you don't want RIM tunneling your email, you host your own tunnels. BlackBerry has always worked this way.
Did you really think that all of the companies that use BlackBerry send their email through RIM's servers?

Re:What person thinks this is OK? (0)

h4rr4r (612664) | about a year ago | (#44317727)

Actually it still users RIM's servers, which is why a RIM outage affects all BES users as well.

RIM "offered" BES to make money. They made buttloads of it when CxOs wanted their devices. Now no one wants it and they are still pretending like they are needed.

Re:What person thinks this is OK? (4, Insightful)

LordLimecat (1103839) | about a year ago | (#44317745)

The first time I saw that I knew I was not getting a blackberry.

Then you didnt do your research very well, because BIS is the ghetto "i cant afford a BES" experience. A proper BES is magnitudes more secure than anything SSL has to offer.

Re:What person thinks this is OK? (1)

h4rr4r (612664) | about a year ago | (#44317779)

If they think that is ok for their down market product their up market one likely sucks as well.

I want to see a citation for that last comment. My understanding is BES is totally closed and still sends data via their servers which the outages proved. This means we have no way of knowing how secure it is.

We all use SSL to do our banking, so clearly it is pretty well tested.

Re:What person thinks this is OK? (-1, Troll)

Pieroxy (222434) | about a year ago | (#44317241)

Next news on slashdot:

Shocking! Researcher discovers hitting submit on the login page of Gmail actually TRANFERS ALL YOUR CREDENTIALS to Google.

Re:What person thinks this is OK? (1, Informative)

inject_hotmail.com (843637) | about a year ago | (#44317489)

Next news on slashdot:

Shocking! Researcher discovers hitting submit on the login page of Gmail actually TRANFERS ALL YOUR CREDENTIALS to Google.

Hey asshole, pay attention. The issue here isn't that a first or second party is getting the password, it's that the third party is...the third party doesn't need it at all. Let me spell it out for you: This would be similar to Mozilla, Microsoft, or Apple transmitting your password to themselves just because you are using their browser.

Indeed, this is how it has always worked on BlackBerry devices, so I'm not quite sure why this is news. Anyone who didn't already understand this simply doesn't have any technical imagination.

Re:What person thinks this is OK? (2)

Jeff Flanagan (2981883) | about a year ago | (#44317609)

Maybe you should unplug your ethernet cable until you feel less obnoxious.

Re:What person thinks this is OK? (0)

Anonymous Coward | about a year ago | (#44317411)

BlackBerry 10 smartphones no longer use BIS. If your smartphone is associated with the new BlackBerry Enterprise Service 10 which itself only manages the devices with Microsoft Exchange ActiveSync handling all email communication between Microsoft Exchange Server and the BlackBerry 10 smartphone. There is absolutely no reason email credentials should be stored on the back-end servers at BlackBerry (nee Research In Motion).

Re:What person thinks this is OK? (1)

Lunix Nutcase (1092239) | about a year ago | (#44317587)

The point is that RIM saving the email credentials is how they've always done it. Yes, BB10 does not have BIS but still does the email push the same way they did for BIS. The statement still stands that Heise is years behind the times if they only now just discovered this is how RIM does email push.

Re:What person thinks this is OK? (1)

Pieroxy (222434) | about a year ago | (#44317055)

As it turns out, RIM provides a proxy service for email. That's what they do, and everyone has access to this kind of information as BB doesn't hide it but actually advertises it. It may be a bad idea, but it is most certainly not deception. /story.

Re:What person thinks this is OK? (0)

Anonymous Coward | about a year ago | (#44317397)

Wow a Blackberry fanboi in the wild! What a rare and peculiar sight.

(Check Pieroxy's other comment in this thread to see why I think he is a fanboi).

Re:What person thinks this is OK? (1)

Pieroxy (222434) | about a year ago | (#44317499)

The story is dumb fuck stupid, no need to be a fanboi to point it out.

Re:What person thinks this is OK? (0)

LordLimecat (1103839) | about a year ago | (#44317335)

How, exactly, did you think BIS was doing all of these years? How do you think it performed push-email with POP / IMAP?

Re:What person thinks this is OK? (2, Interesting)

peppepz (1311345) | about a year ago | (#44317623)

It's the only way you can implement push email notifications, which once used to be something of Blackberry that people liked. Every other provider of such a service works in the same way.

lol what (-1)

Anonymous Coward | about a year ago | (#44316801)

blackberry has always worked like this.

Re:lol what (1)

dave024 (1204956) | about a year ago | (#44316837)

Yea that's what I thought. I never thought it was a great idea, but it's not really anything new.

Re:lol what (1)

therealkevinkretz (1585825) | about a year ago | (#44316851)

"blackberry has always worked like this."

No, it hasn't. In the past the BES server has credentials for a *single* privileged account that interacts with the mail server. The newest version uses ActiveSync rather than MAPI for that interaction, and it connects with credentials for each individual account. Those credentials are those the article is talking about, and unlike the single BES account, they can be used to access user accounts/data/info anywhere on the network a user can.

Re:lol what (5, Informative)

h4rr4r (612664) | about a year ago | (#44316889)

Actually is has, if you don't have a BES.

If you needed to login to a server that did not have a BES you were forced to hand over your credentials to blackberry since the devices themselves did not talk any other protocols.

They called this service BIS.

Re:lol what (0)

Anonymous Coward | about a year ago | (#44317589)

Oh wow. I hadn't thought of it before, but that means that single privileged account... you know the one with rights to read my WHOLE COMPANY's email, is in the hands of some fool somewhere. Oh well, I knew a long time ago that email was never going to be private using 99% of normal means. I'm more concerned about personal privacy than corporation privacy anyway. Corporations are rich and cheat and do bad things that impact a lot of people. Everyday Joe people should have more rights than a corporation, and those are the people whose rights are being trashed by what our US govt is doing with internet monitoring.

Re:lol what (1)

therealkevinkretz (1585825) | about a year ago | (#44317717)

I was wrong; the retained password behavior applies to POP/IMAP accounts, not ActiveSync. Sorry.

I thought it was designed that way. (0)

Anonymous Coward | about a year ago | (#44316817)

Isn't that how the BB works if you don't have your own BES?

Re:I thought it was designed that way. (2)

h4rr4r (612664) | about a year ago | (#44316831)

Yeah, which is why I always laugh whenever anyone says they are secure devices.

If they can rationalize this behavior only FSM know what else they are doing.

Re:I thought it was designed that way. (2)

BrokenHalo (565198) | about a year ago | (#44317135)

I don't know what you guys are talking about. If the Blackberry is good enough for your President, it should be good enough for you.

But I guess thanks to that nice Mr Snowden, he doesn't have as much to hide any more.

Re: I thought it was designed that way. (0)

Anonymous Coward | about a year ago | (#44317493)

The security hinges on your trust in RIM, and whatever is up the food chain from them.

There is nothing inherently insecure with their email proxy service. There is as much reason to trust the servers as the firmware of the device in your hand anyway.

So, it's not like RIM is special in that regard :/

Re: I thought it was designed that way. (2)

h4rr4r (612664) | about a year ago | (#44317747)

Maybe the firmware of your device, mine is not running an official one.

If you have to let them store your password it is insecure. It is that simple. A good secure proxy system would be handed a token that identifies them as a user of your account but not you. So that one could actually audit usage and the like. BIS does not do this because it is less of integration and more of a MITM attack.

Re:I thought it was designed that way. (1)

LordLimecat (1103839) | about a year ago | (#44317789)

Yeah, which is why I always laugh whenever anyone says they are secure devices.

What part of "Dont have a BES" didnt you understand?

Theyre secure devices when you purchase and run the server thats designed to manage them. Otherwise, yes, youre having RIM host the BES service ("BIS"), and you're giving them your credentials. Thats irrelevant to 99% of IT departments though, since noone of any significant size bases their mobile infrastructure on BIS.

BES Express went free several years ago and is way more secure than SSL, even if people criticizing blackberries choose to remain ignorant of how BES works.

Re:I thought it was designed that way. (1)

Anonymous Coward | about a year ago | (#44316917)

Isn't that how the BB works if you don't have your own BES?

With the older blackberries without a Blackberry Enterprise Server, yes.

For the new blackberry 10 models without a Blackberry Enterprise Server, the phone makes the email connection directly with no intermediary, so this password leakage should not occur.

I'm going to have to test this to confirm. If true, quite a big fuckup.

WTF? (-1)

Anonymous Coward | about a year ago | (#44316823)

Assholes

Re:WTF? (-1)

Anonymous Coward | about a year ago | (#44317005)

That sound you are hearing is the sound of Slashdot swirling down the toilet, as the once legendary quality of the comments devolves into that of a common newspaper forum.

RIP, Slashdot. You were great.

Re:WTF? (-1)

Anonymous Coward | about a year ago | (#44317253)

sound of Slashdot swirling down the toilet, as the once legendary quality of the comments devolves

AHAHAHAHAHAA you're kidding, right? Comments on Slashdot have been consistently terrible for at least 15 years.

Re:WTF? (1)

fustakrakich (1673220) | about a year ago | (#44317347)

Thank you for confirming that :-)

Re:WTF? (-1)

Anonymous Coward | about a year ago | (#44317659)

Asshole.

To: NSA and other spooks (4, Funny)

Jawnn (445279) | about a year ago | (#44316843)

Memo: Go get it yourself. Gentlemen, We're tired of having to carry this data mining workload on our networks and servers. Here's the list of user names and passwords that we collected for you. Knock yourself out. Regards, RIM

Wow ... (1, Insightful)

gstoddart (321705) | about a year ago | (#44316845)

So either RIM feels they should have this, or they're really stupid.

There is no reason to send your email credentials to RIM ... the local device needs it, but I can't think of a single defensible reason to send your credentials to their servers.

Why do companies feel they're entitled to this kind of information? Pretty much everyone who owns a BlackBerry should be asking if they can really trust the device.

Re:Wow ... (2)

lachlan76 (770870) | about a year ago | (#44316873)

It's so that they can push to the device from servers that don't support that functionality. This is how my previous (Nokia E71) phone did push email, for instance. But in that case you provided your login details through their website and then connected the phone to your Nokia Mail account, so it was clear what was going on.

Re:Wow ... (2, Insightful)

h4rr4r (612664) | about a year ago | (#44316901)

Bullshit.
IMAP even supports push via IMAP IDLE. There is no good reason for that in this day and age. This is just Blackberry again being behind the times and out of date.

Re:Wow ... (4, Insightful)

ArsenneLupin (766289) | about a year ago | (#44317287)

IMAP even supports push via IMAP IDLE.

Yes, but that only works while you are connected to the server, which needs a (potentially expensive) IP connection.

True push might "wake up" your phone with a special SMS when a mail is ready, and then the phone only needs to establish the connection when needed, rather than keeping it up permanently, potentially incurring roaming fees.

Re:Wow ... (1)

h4rr4r (612664) | about a year ago | (#44317697)

Which is why things like wait exist and very long connection lifetimes. The phone can go to sleep with that connection running. Keep alives can be a long time apart.

Re:Wow ... (3, Informative)

ArsenneLupin (766289) | about a year ago | (#44317821)

If the phone brings down its IP connection while some TCP flows are still open, it might not be able to re-attach to these, as it will most probably get a different IP address once it brings up the physical connection again. Not to mention that the server would have no way of sending a packet to the mobile during this "sleeping" phase...

If on the other hand it doesn't bring down the IP connection, it might incur roaming fees, depending on commercial offers, contractual setups etc. If user is lucky, and is charged by traffic, then there will be no problem (almost no packets exchanged during idle). If on the other hand, he is billed over time (like some Austrian and Eastern European operators do), he'd still be stuck with a hefty roaming bill...

Re:Wow ... (1)

h4rr4r (612664) | about a year ago | (#44318019)

You use keep alives to tell the network you need to keep this IP, they are very small and very infrequent.

When you wake to send that, and you only wake a tiny little bit you check for the new email packet.

I guess in those backwards nations the user will just turn off all forms of push email.

Re:Wow ... (2)

Yetihehe (971185) | about a year ago | (#44316885)

There is no reason to send your email credentials to RIM

Push notifications about new email?

Re:Wow ... (2)

h4rr4r (612664) | about a year ago | (#44316913)

For what POP3?
IMAP idle is widely supported in 2013.

Re:Wow ... (1)

alen (225700) | about a year ago | (#44317211)

ms exchange

Re:Wow ... (1)

h4rr4r (612664) | about a year ago | (#44317237)

Which supports ActiveSync, which is push mail and device management. Use that.

It is also support on several other mail servers, zimbra being the first one I think of.

Re:Wow ... (1)

stewsters (1406737) | about a year ago | (#44316907)

Google does it with wifi passwords. I assume they do it with other credentials too.
http://arstechnica.com/security/2013/07/does-nsa-know-your-wifi-password-android-backups-may-give-it-to-them/ [arstechnica.com]

Re:Wow ... (3, Insightful)

gstoddart (321705) | about a year ago | (#44316953)

It's a little different, this sends it as soon as you set up the account apparently.

I've set my Android devices to not use Google's cloud backup because I'm increasingly distrustful of them. That, and keeping the Google+ shit at bay.

But in this case, it sounds like as soon as you create an account RIM has your password -- that to me is a terribly designed system.

And RIM wants to make their messaging client available on other platforms? Suddenly it doesn't look like a trustworthy system to me.

Re:Wow ... (3, Interesting)

ZiakII (829432) | about a year ago | (#44316915)

So either RIM feels they should have this, or they're really stupid.

There is no reason to send your email credentials to RIM ... the local device needs it, but I can't think of a single defensible reason to send your credentials to their servers.

Why do companies feel they're entitled to this kind of information? Pretty much everyone who owns a BlackBerry should be asking if they can really trust the device.


Looks like you have no clue how RIM e-mail works on Blackberries. Just copy and pasting a quick summary on how their e-mail system works. "Unlike other PDAs, the BlackBerry device does not log into your email account for you, and check for new messages. This pull type email is best related to having a Post Office box. It requires physical action on your part to go and check your mail. You have to get up, drive in your car to the PO Box location, open it up, check for new mail, get back in your car, and drive home. All this time you are expending time and energy. What happens if you are unable to check the box due to the store/post office being closed? You have to wait until the next chance you get, and then check. As you can see this is not a very time/energy efficient way of doing things.


On the other hand, if you had someone to bring your mail to you, a Postal worker wouldn’t that be a better alternative? All you have to do is sit at home and when the mail arrives you have it. No need to do anything, no need to go anywhere else. This is how the BlackBerry architecture works." (Example From Crackberry.com [crackberry.com]

For a site apparently loaded with Computer professionals its astounding how many here do not know how BlackBerry e-mail works.

Re:Wow ... (3, Insightful)

h4rr4r (612664) | about a year ago | (#44316947)

For such a long comment it is astounding how you don't know how email works in 2013.

What you are talking about was neat in 1995, today is redundant and a security nightmare. Today we have ActiveSync and IMAP idle. Both of these provide push email without handing your password over to RIM or putting you at risk of no email when they have one of their famous outages.

Re:Wow ... (1)

Anonymous Coward | about a year ago | (#44317305)

For such a long comment it is astounding how you don't know how email works in 2013.

What you are talking about was neat in 1995, today is redundant and a security nightmare. Today we have ActiveSync and IMAP idle. Both of these provide push email without handing your password over to RIM or putting you at risk of no email when they have one of their famous outages.

They never made any such comment about how email works in 2013. They posted how BlackBerry does it and has always done it. But that's fine. You stay up there on your high horse. I find it astounding you got mod points for such a poor comment based on bad reading comprehension.

Re:Wow ... (0)

Anonymous Coward | about a year ago | (#44317529)

For such a long comment it is astounding how you don't know how email works in 2013.

What you are talking about was neat in 1995, today is redundant and a security nightmare. Today we have ActiveSync and IMAP idle. Both of these provide push email without handing your password over to RIM or putting you at risk of no email when they have one of their famous outages.

They never made any such comment about how email works in 2013. They posted how BlackBerry does it and has always done it. But that's fine. You stay up there on your high horse. I find it astounding you got mod points for such a poor comment based on bad reading comprehension.

The author of the article wrote this in 2013, he expected that RIM would heve moved with the times and updated their security. Especially when you consider they right now look like enablers for present and future police states.

On the other hand, RIM is a nice, safe and juicy target for any journalist to hit on. It doesn't have Microsoft's money, Google's name or Apple's brand, or Samsung's hardware. At this point, they should be happy for any free publicity they might get.

Re:Wow ... (2, Interesting)

bill_mcgonigle (4333) | about a year ago | (#44317313)

For such a long comment it is astounding how you don't know how email works in 2013.

I think he knows how modern e-mail works and was explaining how Blackberry works.

What you are talking about was neat in 1995, today is redundant and a security nightmare. Today we have ActiveSync and IMAP idle. Both of these provide push email without handing your password over to RIM or putting you at risk of no email when they have one of their famous outages.

Look, we've had IMAP IDLE since 1997, the first RIM pager was introduced in 1998 and the first Blackberry smartphone was introduced in 2000. It's never been about the available technology (I was using IMAP IDLE on my Treo 650 in 2004) but about, at the time, enforcing a business model using Blackberry Enterprise Servers. They were about $28K when the phones were about $300. They were rolling in the dough, because CxO's were demanding Blackberries as fashion accessories. The iPhone replaced it as the must-have fashion accessory. There is one great thing to say about the Blackberry - it had lots of hardware buttons to make message navigation very usable and most other smartphones missed and continue to miss this.

But I've been advising companies who deal in secrets (R&D trade secrets mostly) to avoid Blackberry for the entire time I've been doing security consulting (since before I got a Treo) because it was never a secret how Blackberry works.

Re:Wow ... (5, Informative)

LordLimecat (1103839) | about a year ago | (#44317981)

But I've been advising companies who deal in secrets (R&D trade secrets mostly) to avoid Blackberry for the entire time I've been doing security consulting (since before I got a Treo) because it was never a secret how Blackberry works.

Then despite youre really good explanation it seems that YOU dont fully understand it. If you have one of those expensive BES servers, RIM never sees your credentials, your mail, or anything, and you have THE most secure mass-market mobile email system out there.

BES supports

  • Per-device symmetric encryption (way outclasses SSL which is a security nightmare between compromised CAs, compromised ciphers, and expiring certs)
  • Enforcing memory and device encrption for years prior to anyone else attempting it, let alone getting it right
  • remote device wipe which IOS / android have only recently gotten, and which actually works
  • enforcing any and every option you might want on any or all blackberries in your organization-- want to force all browsing thru a proxy? Or to go through your corporate firewall? Not a problem.
  • Locking down the devices to prevent installation of undesired apps

Some of these features have been picked up by other device "classes" (IOS, Android), some have been reimplemented badly (ie, device encryption, remote wipe, screen lock), but noone has gotten the comms down as secure as a proper BES.

If you're advising people to avoid BES for SECURITY REASONS, you shouldnt be in the business of advising people. Foreign governments have famously gotten their feathers ruffled because RIM makes it clear that there is no way to snoop those connections.

Re:Wow ... (1)

LordLimecat (1103839) | about a year ago | (#44317863)

Whats a security nightmare is SSL. Its astounding that people advocate ditching clunky blackberries running secure BES with per-device AES keys for slick ActiveSync, and then turn around and complain about security.

Meanwhile, SSL has had its recommended cipher change how many times in the last few years? And now we're on the creaky RC4 because all other options have been exhausted?

No, but Im sure ActiveSync is great. Hope you've vetted your trusted root chain on each of your devices, and hope you've found a suitable way of restricting what APKs can be installed on all your Androids.

Re:Wow ... (1)

h4rr4r (612664) | about a year ago | (#44318037)

I can audit ssl, I cannot audit BES. No their documentation claiming they did AES right does not prove they did.

Those are all solved problems, have fun resending servicebooks.

Re:Wow ... (1)

Anonymous Coward | about a year ago | (#44316949)

For a site apparently loaded with Computer professionals its astounding how many here do not know how BlackBerry e-mail works.

Most of the people with actual knowledge left years ago. Most of what's left are rejects that make Digg and Reddit appear to be full of geniuses.

Re:Wow ... (0)

Anonymous Coward | about a year ago | (#44317041)

"Looks like you have no clue how RIM e-mail works on Blackberries. "

When referring to the products of RIM, the plural of "Blackberry" is "Blackberrys".

No need to thank me. Just being a douche about it :)

Re:Wow ... (1)

gstoddart (321705) | about a year ago | (#44317195)

Unlike other PDAs, the BlackBerry device does not log into your email account for you, and check for new messages.

So let's highlight what you pasted here ... if it doesn't log into your account for you, WTF does it need the password for?

On the other hand, if you had someone to bring your mail to you, a Postal worker wouldnâ(TM)t that be a better alternative? All you have to do is sit at home and when the mail arrives you have it

What an incredibly stupid analogy ... it's an electronic device which can trivially pull email any time it's within range of the network ... so you can sit at home and the mail will arrive either way. It sounds like they're just trying to explain a terrible architecture.

For a site apparently loaded with Computer professionals its astounding how many here do not know how BlackBerry e-mail works.

I'm sorry, but if they need to store my username and password, they're either incompetent, or there is no real integration point and they've just hacked something onto it.

If everyone in the world has been using BlackBerries thinking them secure, but some three-letter-agency could go to them and demand your passwords then the entire architecture and platform is crap.

I wouldn't trust them at all, and I believe a lot of people should reconsider how much trust they assign to them.

Re:Wow ... (0)

Anonymous Coward | about a year ago | (#44317227)

Looks like you have no clue how RIM e-mail works on Blackberries.

Sigh.

You are describing how email works on the previous generation of blackberries only when your company doesn't have a Blackberry Enterprise Server.

With the previous generation of blackberries, when you have a Blackberry Enterprise Server, no one has the credentials to get your email. Not RIM, not the mobile carrier. It was designed that way, and one reason blackberries were popular.

And you can download the Blackberry Enterprise Server Express software for free.

With the new blackberry 10 platform, the device can make the email connection directly to the server without an intermediary.

There is no need to provide credentials to anyone, which is why this article is very interesting (if true).

For a site apparently loaded with Computer professionals its astounding how many here do not know how BlackBerry e-mail works.

Pot, kettle.

Re:Wow ... (0)

Anonymous Coward | about a year ago | (#44317505)

It's more amazing how invalid RIM's analogy is. First, it seems as if they don't know mail clients can check for mail automatically every X minutes, and second, if I don't have network access to POP/IMAP my own email I can't receive push notification from RIM either. Poof! All the reasons given for BIB being better disappeared. This is the sole reason I refused to get a BlackBerry back when they were "the" phone to have.

Re:Wow ... (0)

Anonymous Coward | about a year ago | (#44317959)

So either RIM feels they should have this, or they're really stupid.

There is no reason to send your email credentials to RIM ... the local device needs it, but I can't think of a single defensible reason to send your credentials to their servers.

Why do companies feel they're entitled to this kind of information? Pretty much everyone who owns a BlackBerry should be asking if they can really trust the device.

Looks like you have no clue how RIM e-mail works on Blackberries. Just copy and pasting a quick summary on how their e-mail system works.

"Unlike other PDAs, the BlackBerry device does not log into your email account for you, and check for new messages. This pull type email is best related to having a Post Office box. It requires physical action on your part to go and check your mail. You have to get up, drive in your car to the PO Box location, open it up, check for new mail, get back in your car, and drive home. All this time you are expending time and energy. What happens if you are unable to check the box due to the store/post office being closed? You have to wait until the next chance you get, and then check. As you can see this is not a very time/energy efficient way of doing things.

On the other hand, if you had someone to bring your mail to you, a Postal worker wouldn’t that be a better alternative? All you have to do is sit at home and when the mail arrives you have it. No need to do anything, no need to go anywhere else. This is how the BlackBerry architecture works." (Example From Crackberry.com [crackberry.com]

For a site apparently loaded with Computer professionals its astounding how many here do not know how BlackBerry e-mail works.

perhaps the OP is referring to the "Discovery Service" when an account is configured on a BB10 device without using the advanced features to include mail server settings. Then yes, by entering an email address the device will probe the discovery service to obtain all relevant server info from the domain implied.

The OP obviously has not read any of the documentation regarding Prism et al, in this era you can have as much encryption as you might feel safe, however it is the endpoints that are susceptible to eavesdropping , so either they can hijack your smartphone device (not very plausible) or just log on to the exchange server at your ISP (more probable) circumventing any type of encryption imaginable. Make Sense?

Since the evidence has already been provided that Google, Microsoft, Apple, Facebook readily provide all the information to these government entities, your best bet is not to communicate important information via electronic nor snail mail means.

are you sure it is entitlement? (2)

damn_registrars (1103043) | about a year ago | (#44317103)

Why do companies feel they're entitled to this kind of information?

I'll play the devil's advocate here and suggest that RIM might not have done this out of a sense of entitlement, but rather out of a sense of laziness or generally poor programming. This information is not necessarily all that valuable to them anyways.

Pretty much everyone who owns a BlackBerry should be asking if they can really trust the device.

The device just came our, and this applies only to the two newest blackberries. The bigger question is how long will it take them to correct this. They have a choice here; they can either say "oops, we didn't mean to do that" and patch it so that this information isn't passed on in the future, or they can try to come up with some obfuscated excuse why this data being passed on doesn't hurt the user. If they do the former, then it can be attributed to human error. If they do the latter then they might wan to consider closing their doors for good.

Re:are you sure it is entitlement? (0)

Lunix Nutcase (1092239) | about a year ago | (#44317177)

It doesn't just apply to new ones. It's the way email has always worked on Blackberry when using BIS.

Re:Wow ... (1)

fustakrakich (1673220) | about a year ago | (#44317375)

Why do companies feel they're entitled to this kind of information?

Not 'entitled'. It's a safe assumption to make that it's a secret government mandate.

Re:Wow ... (0)

Anonymous Coward | about a year ago | (#44317445)

If you seriously think this is a government plot, and the government needs this in order to get around email security, you are more retarded than you seem. Which I would have thought impossible, but the more I see you, the more I'm thinking "fetal alcohol syndrome"

Does anyone care? (4, Insightful)

dgr73 (1055610) | about a year ago | (#44316877)

I was in a conference once where all the big players in the security field were sitting and saying "no way we'll build backdoors into our systems, the best guarantee against that is the fact that if it's found out, we'll be killed in the market, nobody will buy from us". But considering how most companies hit by the NSA scandal are still doing brist business, I don't think RIM has anything to fear from anyone except a handful of Slashdotters, who use other types of phones anyway.

Re:Does anyone care? (2, Interesting)

Anonymous Coward | about a year ago | (#44317695)

Nobody cares. I work IT for a government agency, and our IT department decided (directly against my opinion) that it's basically not worth the effort to hide our data from the US government. Nothing's changed since the NSA scandal confirmed our worst strong suspicions and safe assumptions. Part of it comes from a defeatist view that they can break into anything they want to. I contend that they are _not_ magic and we _can_ keep them out. In some of our dealings it would be disadvantageous for the US government to see our hand.

Re: Does anyone care? (0)

Anonymous Coward | about a year ago | (#44317859)

You are hopelessly confusing different issues.

One is warrant vs. warrantless searches of "your" accounts in someone else's custody - through their not-secret-to-them side door.

The other is a secret back door to search things (yours, theirs, etc) directly.

Authorities could have warrants to do either, but the fishy gentleman with a fake mustache that built my back porch and copied the door keys... That is entirely possible from any crook, but it's never a sustainable practice.

HTTPS (0)

Anonymous Coward | about a year ago | (#44316931)

I love my Crackberry (OS 7.1 though), but I've never setup email directly on the phone. I've always used the web browser to access it over SSL. Guess I won't upgrade to 10 and just hold onto my 7.1 for now.

Standard Procedure? (3, Interesting)

nate_in_ME (1281156) | about a year ago | (#44316933)

I haven't done all my reading on the new BB10 setup, but I know previous devices not only used RIM's servers to fetch email before passing it on to the device, but actually tunneled all internet traffic through their system. Now, from the article (or at least Google's translation of it), it sounds like BB10 says that setup is no longer used for the push email. However, are they still tunneling through RIM? The article also seems to make a jump in assuming that RIM is storing this data (who else may be listening in along the way is another discussion entirely). The only reference that I saw in the article was to the connection occurring immediately after setting up the account. This could just as easily point to a "test, then throw away" procedure as part of e-mail setup on BB10. Unless there is additional information showing a series of connections over a period of time after setting up the account, there doesn't appear to be any indication that RIM is actually keeping this data.

How is this news? (0)

Anonymous Coward | about a year ago | (#44316935)

If you don't want your BlackBerry traffic tunneled through RIM, then you set up your own enterprise server. BlackBerry traffic always gets tunneled. There is no other option.

If this guy doesn't want his traffic tunneled, why the fuck does he have a BlackBerry? It's their only remaining salable feature! If he wants control over the tunnel, just download and install BES. It's pretty easy.

Re:How is this news? (0)

Anonymous Coward | about a year ago | (#44317061)

BES is something to flee from. This is why RIM is losing its grip on the market. Their only advantage over iOS or Android was that everything was tunneled. With BIS made open to India's government, there isn't any reason to bother with RIM devices these days, period. BES can be used, but the license fees are tremendous.

Re:How is this news? (1)

h4rr4r (612664) | about a year ago | (#44317127)

The license fees are not the problem, the problem is the product sucks. About two years ago we announced the end of our BES, as phones were replaced anyone getting a blackberry product would simply not be added to the BES and be forced to live with BIS. Activesync supporting devices would get all the nice calendar and contact features. It took about 6 months to get rid of the last couple stragglers. Turning off that server saved more money in overtime than it did in license fees.

Re:How is this news? (0)

Anonymous Coward | about a year ago | (#44317531)

Having supported numerous BlackBerry Enterprise Server 4 & 5 implementations I unequivocally say your assertion is incorrect and therefore invalid. If you cannot support a BES in a largely hands-off manner, you are inept and should be terminated.

Re:How is this news? (1)

h4rr4r (612664) | about a year ago | (#44317711)

We were hands off when it broke. Then had to be rebooted for messages to return to one user, causing an outage for the others. Or repushing service books for no good reason, on and on.

The product sucks. There is nothing to really admin anyway. Everything is click the shiny button and pray it works this time. Typical crap windows software.

Do we know that blackberry are alone? (0)

Anonymous Coward | about a year ago | (#44316979)

Do we know if blackberry are the only ones doing this?

Re:Do we know that blackberry are alone? (0)

Anonymous Coward | about a year ago | (#44317497)

I know. But you do not. So the answer to your question is, "no, we don't know".

Does he have a BES? (1)

neurovish (315867) | about a year ago | (#44316999)

Didn't read the article of course, but does this guy have a BES server? I thought this was always how BlackBerries worked. If you weren't running BES, then RIM essentially took over that function. Granted, I haven't touched a BlackBerry in like 6 years, so maybe I am only remembering the good times at this point.

Re:Does he have a BES? (1)

h4rr4r (612664) | about a year ago | (#44317079)

Which does not change the fact that with ActiveSync and IMAP idle widely available there is no need for RIM to do this. You already have push Mail and some amount of device management.

This is likely just some internal RIM folks trying to keep their department funded.

Summary in English (4, Informative)

schneidafunk (795759) | about a year ago | (#44317051)

"When you enter your POP / IMAP e-mail credentials into a Blackberry 10 phone they will be sent to Blackberry without your consent or knowledge. A server with the IP 68.171.232.33 which is in the Research In Motion (RIM) netblock in Canada will instantly connect to your mailserver and log in with your credentials. If you do not have forced SSL/TLS configured on your mail server, your credentials will be sent in the clear by Blackberrys server for the connection. Blackberry thus has not only your e-mail credentials stored in its database, it makes them available to anyone sniffing inbetween – namely the NSA and GCHQ as documented by the recent Edward Snowden leaks. Canada is a member of the “Five Eyes”, the tigh-knitted cooperation between the interception agencies of USA, UK, Canada, Australia and New Zealand, so you need to assume that they have access to RIMs databases. You should delete your e-mail accounts from any Blackberry 10 device immediately, change the e-mail password and resort to use an alternative mail program like K9Mail.

Clarification: this issue is not about PIN-messaging, BBM, push-messaging or any other Blackberry service where you expect that your credentials are sent to RIM. This happens if you only enter your own private IMAP / POP credentials into the standard Blackberry 10 email client without having any kind BER, special configuration or any explicit service relationship or contract with Blackberry. The client should only connect directly to your mail server and nowhere else. A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them."

Re:Summary in English (1)

fustakrakich (1673220) | about a year ago | (#44317425)

A phone hardware vendor has no right to for whatever reason harvest account credentials back to his server without explicit user consent and then on top of that connect back to the mail server with them.

You forget that the government is telling them they must. But don't say anything. It's a secret.

Re:Summary in English (1)

PPH (736903) | about a year ago | (#44317805)

You forget that the government is telling them they must.

This may be so in Canada or the USA. But the author of the article is in Germany. This, according to German law, is verboten.

Re:Summary in English (1)

fustakrakich (1673220) | about a year ago | (#44317917)

Since when does 'law' mean anything to a government, aside from a blunt instrument to subdue the masses?

How does real estate work in Germany? (0)

Anonymous Coward | about a year ago | (#44317117)

The "user does not get a single indication or notice of what is being done" is the heart of real estate, at least in North America it seems to me.

It's stealing, basically (1)

sl4shd0rk (755837) | about a year ago | (#44317145)

I hope stuff like this, along with the Snowden Files, proceed to destroy the 'Cloud' paradigm. It was a diseased model to begin with and is proving to be nothing more than a Tap for domestic and international spying.

People deserve privacy, especially in email, and stealing their account credentials ought to be basis enough for a Watergate style investigation. You know full well if some 17 year old did this exact same thing to some politician or movie star, his ass would be roadkill in the court system inside a month. The double standard legal system in some places is just freaking wrong.

Re:It's stealing, basically (0)

Lunix Nutcase (1092239) | about a year ago | (#44317225)

How can they steal what is given to them? They've never hidden that they do this. In fact abyone who has ever user BIS knows they've done this forever.

BlackBerry mail is very poor (2)

timftbf (48204) | about a year ago | (#44317491)

If it's anything like the previous-generation BlackBerries, it's shockingly bad. We bought one for my wife on the strength of it having a physical keyboard, and waded through all the hand-over-your-password BIS nonsense. And, well... I guess it *might* work if you never ever want to look at your mail from anything other than your BB. Once the BB has decided what *its* view of your mailboxes is, good luck in having anything else you do via all your other (IMAP, webmail, whatever) clients have any relationship whatsoever to what you see or do on the BB.

Hello RIM? That's the *whole* *fucking* *point* of IMAP - the mail stays on the server, and I can get the same view of it from anywhere, not go through all the hoops we used to have to jump through to fake synchronisation on POP3 clients.

I've since disabled (or deconfigured, or otherwise turned off) the whole BB mail piece, and installed LogicMail, which I heartily recommend. It's a regular IMAP client, it makes IP connections to the mail server, and it all works Just Fine. If she leaves it running, it gets new mail notifications via IDLE. If she closes it, she doesn't get notifications, but it doesn't suck juice or network usage IDLEing. Her choice.

Welcome to Cloud Computing! (0)

Anonymous Coward | about a year ago | (#44317593)

Where all (ALL) your data is stored on someone else's system! \:D/

We banned Blackberry years ago (0)

ziggy_az (40281) | about a year ago | (#44317597)

When a staff member came to me the first time and asked for help setting up mail on his Blackberry, I told him I'd get back to him after I researched it. Once I figured out that you had to provide complete logon credentials to RIM, I banned the devices. Staff can have them if they wish, but they are not to be used with our corporate mail (or any other) systems.

Back then, RIM gave you two options - give up your corporate security or buy a $3000 machine from RIM to talk to Blackberries. IMO, neither option was acceptable.

Re:We banned Blackberry years ago (0)

Anonymous Coward | about a year ago | (#44317703)

Call me stupid, but I don't see what Blackberries get one that I can't get with an internal CA (where I push root certificates out, the private keys are stored on a machine with no Internet connections.) With my own CA, the only way for someone to MITM is to either compromise that offline CA with a physical attack, or to attack the mail server itself. Since I'm not trusting a big name, the big CAs getting hacked doesn't affect my security in the slightest.

It's your own fault for using closed protocols (1)

guruevi (827432) | about a year ago | (#44318017)

Who is to say that Exchange 201x won't do the same thing or doesn't already? Or any number of proprietary systems? You don't know because you can't see what's really happening with closed protocols, software and devices.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?