Saudi Says RIM Deal Reached; BlackBerry OK, If We Can Read the Messages

crimeandpunishment writes "There's a deal on the table to avert a ban on Blackberry's messenger service in Saudi Arabia. A Saudi regulatory official, speaking on the condition of anonymity, told the Associated Press the deal involves placing a server in Saudi Arabia ... and letting the government monitor users' messages, easing Saudi concerns over security and criminal usage. The deal could have wide-ranging implications, given how many other countries have expressed similar concerns, or in the case of the United Arab Emirates, have threatened to block Blackberry email and messaging services." Perhaps the governments of UAE and India would be satisfied, too, if only they had access to the messages transmitted.

...and RIM capitulates.

[sethstorm]

Guess they don't have any backbone to just drop the country and let the end-users take action.

Re:...and RIM capitulates.

[couchslug]

End-users won't fix the problem. RIM would simply lose money.

The Middle East not only doesn't play by our customs, those customs are utterly alien.

They want the technology, but they remain tribalist, Jihadist, Wahabist in the case of KSA, and none of this is changing for the better.

Re:...and RIM capitulates.

[CdBee]

I posted on here in another thread a few days back that RIMs refusal to back down in the UAE stood them in very good stead as a company as their users would respect that. Its amazing how quickly one can lose confidence again....

Re:...and RIM capitulates.

[Kilrah_il]

Just a word of caution before everyone here denounces RIM: We all remember the news a few days ago that Google made an agreement with Verizon for preferential access to their network. Everyone here was raising hell about how Google threw their "open Internet" stance out the window for profit. And then, after a few hours, we got an update: No such deal!
So, people, wait a few hours and let's see what's the real deal between RIM and the Saudi government. If this is the real deal - then shame on them!

Re:...and RIM capitulates.

[gandhi_2]

And all the moral relativists come out of the woodwork to suddenly embrace right and wrong.

Companies don't go to heaven. So companies get NO credit for doing what is right. They only get credit for doing what is necessary to survive.

Vote with your dollars...but people will still buy whatever product they like best.

Re:...and RIM capitulates.

[thePowerOfGrayskull]

Guess they don't have any backbone to just drop the country and let the end-users take action.

It's interesting how we keep seeing a conflation of two different issues.

BES (enterprise) cannot be monitored. All traffic is encrypted - while it travels through RIM servers, it is encrypted with a key owned by the companies running BES. This includes email and - if I recall correctly -- BlackBerry messenger messages. This means that only devices that have the appropriate keys can decrypt the traffic. No matter what deals are reached, this can't be changed by RIM.

BIS (consumer) is routed through BB servers, and is not encrypted (or in the case of BBM not unbreakably encrypted). This can be monitored and probably is in many places.

So in the past few days, we've seen RIM make an announcement over how BES is utterly secure. This has not changed at all - without the keys that companies own, BES traffic can't be decrypted -- RIM devices natively support TripleDES, AES128/192/256, and a host of other crypto algorithms. I don't think anyone's managed to break them so far, at least not in any practical sense...

Presumably what's happened is that RIM is providing access to monitor BIS (consumer) traffic -- which is something that they've done in other places as well and has prior precedent.

Re:...and RIM capitulates.

[gandhi_2]

All morality is relative.

The moral thing to do...

Thanks for illustrating my first point.

Re:...and RIM capitulates.

[Alcoholist]

The problem with freedom is that it never seems to involve corporations or governments.

The the solution to this particular problem is easy, simply let the users run their own encryption with their own software and own keys on their own hardware. I'm surprised such a thing doesn't exist now for the Blackberry. Oh wait, it does. All RIM has to do is tell these dumb governments that "yep, you can read the stuff on our servers," while at the same time paying bloggers under the table to spread word on how to install third party encryption.

If these governments are still really pissed off about it, they can start arresting users for having encryption software and they can keep on doing that until people finally get the notion they are living in a police state and maybe want to do something about it.

Re:...and RIM capitulates.

[ShakaUVM]

No, no, no. Haven't you read the Slashdot summary?

Allowing Saudi Arabia to eavesdrop on everyone's communications has "eased their concern" about security issues.

Privacy

[ground.zero.612]

I'm glad I have it.

(At least for now... my fellow US citizens seem to be completely blind to the forces at work to destroy our privacy.)

Re:Privacy

[davester666]

You do realize that the US gov't knows it could not do the same thing without getting a big uproar, but they can just get all of RIM's traffic routed through Saudi Arabia, right... Who am I kidding, the US ALREADY can view everybody's BlackBerry messages.

Re:Privacy

Who am I kidding, the US ALREADY can view everybody's BlackBerry messages.

Any evidence of that?

I recall my company's legal team doing a search for any instance where intercepted, decrypted messages from a Blackberry Enterprise Server were used in court. The lawyers weren't able to find any cases.

Now, that doesn't prove anything, but it's a good indicator.

Plus, you can use S/MIME and PGP with blackberry for additional encryption.

Re:Privacy

[thePowerOfGrayskull]

You're right - BES can't be intercepted/decrypted. BIS/consumer-grade is a completely different matter. (Unless, as you say, S/MIME is used....)

Re:Privacy

[mlts]

The minute people seriously suspect that AES is breakable in large numbers, will be the minute China proposes their own IETF draft of an algorithm and the whole banking sector, and essentially the Internet will change algorithms overnight.

I have seen this discussion in every major security program, be it PGP back in the 90s, TrueCrypt, BitLocker, or any other program that is relied upon to provide security. This can be reduced to three states:

1: Governments do not have an easy backdoor. Result: This won't be told to anyone to keep the blackhats from flocking to the program.

2: Governments have a backdoor that is known to the world: e.g., their country uses Clipper chips, all SSL traffic has to use an escrow key, or the originator and his family is put to death, security appliances are used to MITM all traffic and insert their own keys, or other items. The blackhats will find another mechanism like steganography [1], tunneling over various protocols, or even go back to dead drops with physical media. As always, there will be low hanging fruit nabbed to show that the backdoors are working to catch criminals, but people that mean real harm will be out of reach.

3: Governments have a backdoor that nobody outside their intel department knows about. This could consist of a hole in the encryption algorithm, a backdoor in x86 chips that allow certain microcode instructions to be executed in ring 0 if it uses a certain undocumented header, a hidden RSA override key, or just knowledge of a weak link (hashing to 40 bits, using the hash as the actual key.) Here, if a government had access to information (like a criminal case where it was presented that data was obtained due to an algorithm or key storage weakness), the minute people found out that this was possible, the whole world would immediately change their algorithm selection or create an add-on which used another encryption technology. For example, if AES was found to be the cause of leaked data, TDES [2] would be reused or another algorithm used in AES's stead. Other means of encryption would either replace the algorithm, or have another pass using the new algorithm if it couldn't be replaced to ensure security. If the weakness was in hardware, countries will be building/contracting chip fabs and seeing about multiple architectures [3]. So in reality, a government could not use the fact that they had a backdoor for anything but the largest of cases, because the game will change fast once the security issue is known.

The RIM deal will put KSA into category #2, which is what they want. The smart criminals will have to move to another means of communication while the dumb ones are easily scooped up and made examples of.

[1]: Real stego programs, not the antiquated ones from the '90s that the Russian spies used. There are a lot of data streams that can easily have random bits inserted in them and nobody notice/care.

[2]: TDES was a hack so solid encryption could be done without a major hardware revamp. But other than for the tiny block and key size, it proved to be remarkably secure over a long time.

[3]: I'm sure that China could easily use their knowledge gained from various sources, or just what is done in their country's chip fabs to create their own architecture with an embedded hypervisor that could virtualize x86 machines. UNIX based operating systems could be easily cross-compiled for the new architecture (probably something like the Itanium with a crapload of registers, lots and lots of cores, and maybe even FPGA-like functionality to make any core on the die act as a GPU, CPU, FPU, x86 core, POWER6 core, or dedicated AES cruncher. Since the government would throw big dollars to subsidize this, even if it cost significantly more than an x86 chip, it would be mandated.)

money talks, freedom walks

[TheGratefulNet]

really, that's all that needs to be said.

fwiw, I have lost all respect for RIM and will not buy their products for my own personal use. they were on the high moral ground for a while but now that they've caved in, they are no different than the other 'carriers'.

their security is now rendered 'untrustable'. what a shame.

another one bites the dust.

Re:money talks, freedom walks

[shawn(at)fsu]

Aren't you being a little over dramatic? Exactly how did you think the world worked? You really weren't naïve enough tho think that they cared about anything besides profits for the shareholders did you?

Re:money talks, freedom walks

[TheGratefulNet]

what exactly is RIM selling? confidence and trust.

they just threw all that out the door.

yes, I think its a HUGE deal. when their whole stock and trade is privacy and then they turn around and sign a 'smiling deal' with our arch enemies (...), yes, I consider that an about-face in the harshest of ways.

we all suspected the almighty looney was king, here; but I was hoping for a ray of sunlight. hoping; but apparently not getting.

no corporation, today, can continue the 'do no evil' for very long. how very sad for us all.

Travellers?

[JSBiff]

I see how this solution would work for customers of Saudi mobile operators, whose phones would be pre-configured to use the 'local' BB server. What about travellers from other countries - would they have to go into their phone and manually re-configure it to contact the Saudi BB Server? Would that basically be the same steps as if you were setting up to use a corporate-owned BB Server? What if you already use a corporate BB Server? Will your messages be blocked? If the email account you are trying to check is your company email account, and the only way to access it is through the company-owned Enterprise BB Server, are you S.O.L.?

travel is optional

[OrangeTide]

You give up certain rights when you travel to a foreign country.

Re:travel is optional

[vertinox]

You give up certain rights when you travel to a foreign country

Rights are inherent and not given or allowed by any government. Nor are laws enumerations on these rights.

I thought that was the whole point of the Magna Carta and the American Revolution.

But if you want to be pragmatic about it, it is in the moral and political best interest of any nation who does respect those rights to put pressure on countries that do not.

Or is it ok to be nice with people who allow repression and torture in their countries?

It doesn't matter if it is their law in that country or not, if you are an individual or a corporation that plays nice with those rules, it means you support those policies. There are no ifs, ands, or buts about that.

Re:travel is optional

[ceoyoyo]

Rights are inherent and not given or allowed by any government. Nor are laws enumerations on these rights.

I thought that was the whole point of the Magna Carta and the American Revolution.

Haven't travelled much, hey? Rights are a uniquely human invention, and they are given by whoever is in charge and can be taken away by the same entity. In a democracy citizens nominally decide what rights they want to grant themselves and what rights to grant non-citizens (usually not exactly the same list). Sometimes they decide some rights are important enough to try and get other people to agree to as well.

Note that the Magna Carta was basically an agreement giving the English aristocracy some ability (rights, if you like) to limit the king's power. The commoners didn't really get any rights. Ditto with the US bill of rights - it gave citizens certain rights, but did squat for non-citizens (such as slaves). And neither of those apply to any society (such as Saudi Arabia) that isn't descended from the UK.

The idea of "inalienable" rights is ridiculous. No society has ever granted the same rights to all people, and certainly not at all times. The US itself only grants many rights to citizens or legal residents, and sometimes doesn't even respect the ones the UN says are basic human rights.

but is corporate willing to give them up?

[Joe+The+Dragon]

but is corporate willing to give them up? maybe not and they will need to find away around it or say no e-mail for workers that are in that country.

Re:but is corporate willing to give them up?

[CdBee]

This question has occurred before regarding the USA - some companies banned employees from taking email devices and laptops into the USA, to prevent border searches accessing confidential data, in the light of the new US security arrangements after the terrorist attacks of the last decade

In other news, talks with OpenSSH

[Statecraftsman]

reached a virtual standstill when the maintainers told Saudi Arabia to "stick it".

But of course

[BangaIorean]

Perhaps the governments of UAE and India would be satisfied, too, if only they had access to the messages transmitted.

But of course. Like this guy has mentioned here. It's all about getting a server established in India.

Re:they are a business, why should they care?

[SanityInAnarchy]

Why should RIM care if they make sales?

Because it's the right thing to do.

Businesses only worry about ethics when they might cause a reduction in profits.

I have yet to hear a good argument that this should be the case.

Canada and USA and a lot of other countries trade with Saudia Arabia, I haven't seen them declaring trade embargoes over Saudia Arabia's human rights issues either.

None of which has anything to do with whether RIM is doing the right thing here.

Clever, if evil.

[fuzzyfuzzyfungus]

Architecturally, it looks like this deal will affect only BIS users, the ones that just walk up to the Phones-r-us kiosk and buy a blackberry and service plan. It won't have any effect on corporate customers running BES servers, since those have their own keys, and devices talking to them won't be dealing with the BIS servers being set up in Saudi Arabia.

Thus, the customers most likely to complain, and make their complaints felt in the pocketbook, are unaffected, while the little people are ever more transparent.

Re:What does this say about secrets?

[ldconfig]

1984 was a warning but sadly its turned into a how-to manual.

Re:they are a business, why should they care?

Because their sales depend on business people going to Saudi Arabia and using their products. How do you think their customers will react now that the Saudi government can eavesdrop on confidential business communications, trade secrets, corporate strategy, etc... ???

People deserve the freedom they get

[cecom]

People deserve the freedom they get. Have you read the comments on BBC's article.
http://www.bbc.co.uk/news/technology-10899338
Let me quite a few:

Abu Mohd, Riyadh, Saudi Arabia

I am an expat living in Saudi Arabia. For me the Blackberry is key to staying in contact with my family and friends in a way that I cannot do with other messaging services. I hope Saudi Arabia and RIM solve this situation. There are many people that work here who are away from their families that use this service. This ban would be one more reason to not come here, it does not help to the development of this country.

Suresh Haridas, Al khobar, Saudi Arabia

BlackBerry made our life much easier, whether we are using e-mail, internet, or BBM. A lot of people/students such as myself who live thousands of miles away from their family and friends really depend on BBM as a convenient medium to communicate. There is nothing compared to BBM in terms of quickness, convenience, and cost. On the other hand, I understand why governments such as Saudi Arabia, UAE, and others feel threatened. However, I am wondering why BlackBerry does not help these countries in terms of monitoring data and using their own servers to get to encrypted information.

Rakan H, Riyadh, Saudi Arabia

I am one of the youths who owns a BlackBerry and I completely agree that it is a major step in my country to protect it against any terrorist or anything that might affect our security. Also I believe all countries like the US should consider the same thing, because it is a tool that can be used among those people who can get access to national security and cause terror to communities. It is a perfect tool for them, cutting it off worldwide will definitely reduce the amount of global issues occurring. If it is necessary to protect the country then why not!

Jim, Singapore

I am a Canadian, living in Dubai and dreading losing my Blackberry. Most people I know are aware of the high level of security in the UAE and appreciate the benefits it provides. I would much rather lose some personal freedoms than take a chance with security. RIM has to understand that Dubai is a transit point for trade and potentially terrorism. Its population is continuously changing as over 80% of its residents are foreigners. UAE's high level of security is in the interests of the West. I am hopeful for a positive resolution but am not brave enough to buy up all the handsets that are selling cheap.

Ara, Dubai, UAE

Whilst it's perfectly true that any invasion of personal privacy in the name of national security is usually resented, I don't really understand the sense of outrage on this one. After all, don't the western intelligence agencies have extensive gathering facilities for the same sort of thing? I don't see the Gulf states doing anything more than our own governments, like it or not.

Re:Why India would want this

[DaveAtFraud]

From what I have read in various sources, most of the terrorists' communication is in code. That is, plain language words and phrases have a specific meaning. They don't use encryption since the very act of encrypting their communication draws attention to it. Something like, "My cousin's wedding is Wednesday," could mean that their planned attack will happen on Wednesday... or this guy's cousin really is getting married on Wednesday. Encrypting such a message just draws attention to it.

Getting access to something like a Blackberry server won't stop the terrorists from communicating. It might give local companies an advantage if the government makes what should be proprietary information available.

Cheers,
Dave

Re:https?

[TheGratefulNet]

httpS is also not trustable. MITM attacks are not hard (buy the right piece of 'security appliance' and it will fool both ends of the SSL attack. I interviewed at various bay area companies (networking field) and they ALL are trying/doing this, now. very sad and very eye-opening.

I will never trust the 's' in https again now that I've seen how bad the end-to-end 'authentication' is.

Re:I agree but it's unlikely to happen

[PopeRatzo]

From watching the news, I would never have thought crime was decreasing.

Amazing, isn't it? You'd think that crime was completely out of control.

Even crime along the US/Mexican border has decreased for each of the last 5 years. From all the hollering in Arizona, you'd think that it was completely lawless, when in fact, crime rates are significantly down.

Re:I agree but it's unlikely to happen

[PopeRatzo]

Thus your options are 1) play dirty or 2) don't play at all.

To the extent that I'm able, when it comes to unethical companies, I do my best not to play at all. I'm sure there are plenty of customers who don't mind what a company does as long as their products are shiny and the price is right. But once in a while, boycotts have a very positive effect.

if the marketplace simply allows unethical behavior, and if there is a competitive advantage in being unethical, then natural selection will actually weed out all the ethical companies as inefficient.

You've just described one of the biggest arguments against the notion that "free markets" are good things. In a truly "free market" the result would inevitably a few huge companies, a few very rich people and a lot of poor people who work very hard and have very big debts. That's just the way corporations like it because it limits their workers' choices. When you're poor and have lots of debt, you'll take any job and work for almost nothing and you don't have choice in the matter. You keep buying with the credit card and having fewer and fewer choices. In a free market, everybody "owes their soul to the company store".

Re:https?

[cecom]

I am pretty sure no security appliance can fool anything unless it can present a security certificate that my browser trusts. That can work in a corporate environment, a school, etc, but definitely not in general.

In any case, you can trust https only to the extent you can trust the CAs. If there are any CAs in China, UAE, etc, then you can be sure the respective governments can issue a certificate for *.com :-)

Depends on how you mean

[Sycraft-fu]

I believe they can get a wiretap warrant and monitor what is going on with a given number. That is not surprising (or secret). However I don't believe they have any secret back door in to the handsets, or private BES units. They seem to use strong, FIPS validated, encryption which to the best of anyone's knowledge is not breakable. In fact the security of the handsets is one of the things the government loves to much about BB and why they are the biggest customer (the US government loves them some BlackBerrys).

It is one thing to say "Of course RIM cooperates with all lawful investigations." I'd expect nothing else, they don't really have a choice. However it is a different one to say "RIM has built in special back doors for a government can freely monitor what is going on."

Same kind of thing with your PC. The US government (I'm presuming you like in the US here) can monitor your Internet traffic with a warrant. They can have your ISP mirror everything you do so they can see it. Also, they can seize your PC with a warrant and sift through the data on it. However they can't have your PC spy on you automatically. Your PC does not have some built in back door that lets them get in to it remotely when they like. It does not give them any special monitoring access.

To put an analogy to a house, the government can get a warrant to survey your house (actually for most kinds they don't need a warrant), and they can get a warrant to search the house itself, and can require you to let them in when presented with this warrant. However they do not have a master key that lets them in to your house when they feel like, and do not have the right to just waltz in when they want with no reason.

Re:they are a business, why should they care?

[Clandestine_Blaze]

I have to agree with you here, even failed attacks cause mass hysteria. Just look at the security theater at airports in the US. (I can only speak for the country I live in.) With every failed attack, they tack on another ridiculous "security procedure" that does nothing but make us think that they're doing something useful. To make things worse, then the US requires airports abroad to have similar procedures and regulations to even be allowed within US airspace.

Though you didn't pose your question to me, I do not find that terrorism requires any competence. Terrorism is simply a desperate way to achieve a political goal. Because they do not have the resources that a government with a standing army has, they choose whatever method that they can get away with, and that's usually hijackings or suicide bombings. Even unsuccessful attacks cause enough of a panic within a general population to change government policy and disrupt everyday life.

Any idiot with homemade bombs can do this. 9/11, on the other hand, did require competence. The plot was hatched around 1996, though some of it was also luck because the FBI, CIA, and local law enforcement did not talk to each other. (I believe at least one of the would-be hijackers was pulled over before 9/11, for example.)

But would we feel any different about groups such as al-Qaeda if they were a real government and had a standing army, and sent battalions and regiments into battle ? Do we hate their tactics, or their goals?