Blackberries insecure?

Jon Callas jon at callas.org
Thu Jun 21 22:15:20 EDT 2007 

On Jun 20, 2007, at 8:41 PM, Steven M. Bellovin wrote:

> According to the AP (which is quoting Le Monde), "French government
> defense experts have advised officials in France's corridors of power
> to stop using BlackBerry, reportedly to avoid snooping by U.S.
> intelligence agencies."
>
> That's a bit puzzling.  My understanding is that email is encrypted
> from the organization's (Exchange?) server to the receiving  
> Blackberry,
> and that it's not in the clear while in transit or on RIM's servers.
> In fact, I found this text on Blackberry's site:
>

There have been rumors for years that the BlackBerry protocol is  
compromised by some government or other. I've heard them for years.  
Ultimately, no one knows, and there's no way to know. It boils down  
to whether you trust RIM or not.

There is a PGP software package for the BlackBerry that will further  
encrypt the content before it's sent out. I use it, and it's quite  
nice. It cooperates really nicely with one of my PGP Universal  
servers, as well. It's one of the best integrations of crypto into a  
mail package I've ever seen.

However, you still have to trust RIM. I've never seen any of the  
code, myself. and to my knowledge no one outside RIM has. There are  
any number of ways that the implementation could be compromised, with  
or without RIM's knowledge.

Paranoia is the *unwarranted* belief that people are out to get you.  
The warranted belief that people are out to get you is caution.  
Personally, I think that this is pure paranoid rumor and innuendo.  
That doesn't mean it's wrong, it just means it's unwarranted.

Last week, I got sent a posting on a web site that someone made that  
said that he had secret knowledge that the USG could break RSA for  
all key sizes that anyone uses, so you should just stop using any  
cryptosystem that uses it. Of course, he couldn't tell us anything  
more to protect the position of the person who told him that. I said  
that if someone told you that an unidentified friend had secret  
knowledge that banks were unsafe and so you shouldn't keep keep your  
money there, your "I'm being scammed" hairs on the back of your neck  
would stand up. But if some unidentified someone tells you that the  
crypto's bad, it's met with complete credulity.

I have no doubt that people in various governments want to spy on  
high-ranking French. Duh.

But what's more likely, that there are secret government compromises  
of security, or that there's a secret disinformation campaign with  
the goal of convincing these people that the crypto is compromised.  
Of course, the really delicious theory is that they've compromised  
the crypto and then started the disinformation campaign in order to  
get people like me to discredit the disinformation campaign and thus  
reassure people that the crypto isn't broken, when in fact it is. Is  
this paranoid, or merely cautious?

	Jon



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list