Blackberries insecure?
Jon Callas
jon at callas.org
Thu Jun 21 22:15:20 EDT 2007
On Jun 20, 2007, at 8:41 PM, Steven M. Bellovin wrote:
> According to the AP (which is quoting Le Monde), "French government
> defense experts have advised officials in France's corridors of power
> to stop using BlackBerry, reportedly to avoid snooping by U.S.
> intelligence agencies."
>
> That's a bit puzzling. My understanding is that email is encrypted
> from the organization's (Exchange?) server to the receiving
> Blackberry,
> and that it's not in the clear while in transit or on RIM's servers.
> In fact, I found this text on Blackberry's site:
>
There have been rumors for years that the BlackBerry protocol is
compromised by some government or other. I've heard them for years.
Ultimately, no one knows, and there's no way to know. It boils down
to whether you trust RIM or not.
There is a PGP software package for the BlackBerry that will further
encrypt the content before it's sent out. I use it, and it's quite
nice. It cooperates really nicely with one of my PGP Universal
servers, as well. It's one of the best integrations of crypto into a
mail package I've ever seen.
However, you still have to trust RIM. I've never seen any of the
code, myself. and to my knowledge no one outside RIM has. There are
any number of ways that the implementation could be compromised, with
or without RIM's knowledge.
Paranoia is the *unwarranted* belief that people are out to get you.
The warranted belief that people are out to get you is caution.
Personally, I think that this is pure paranoid rumor and innuendo.
That doesn't mean it's wrong, it just means it's unwarranted.
Last week, I got sent a posting on a web site that someone made that
said that he had secret knowledge that the USG could break RSA for
all key sizes that anyone uses, so you should just stop using any
cryptosystem that uses it. Of course, he couldn't tell us anything
more to protect the position of the person who told him that. I said
that if someone told you that an unidentified friend had secret
knowledge that banks were unsafe and so you shouldn't keep keep your
money there, your "I'm being scammed" hairs on the back of your neck
would stand up. But if some unidentified someone tells you that the
crypto's bad, it's met with complete credulity.
I have no doubt that people in various governments want to spy on
high-ranking French. Duh.
But what's more likely, that there are secret government compromises
of security, or that there's a secret disinformation campaign with
the goal of convincing these people that the crypto is compromised.
Of course, the really delicious theory is that they've compromised
the crypto and then started the disinformation campaign in order to
get people like me to discredit the disinformation campaign and thus
reassure people that the crypto isn't broken, when in fact it is. Is
this paranoid, or merely cautious?
Jon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list