RIM Helps Indian Authorities Access BlackBerry Messages

judgecorp writes "RIM has set up a surveillance facility in India to help the authorities monitor users' BlackBerry messages, according to reports. This comes after a long argument in which RIM at first tried to resist opening up to Indian government scrutiny."

Are people still buying blackberries

[Synerg1y]

http://www.informationweek.com/news/mobility/business/231300237

xnews.com/scitech/2011/10/27/class-action-suit-filed-against-rim-after-blackberry-outage/ http://www.itworld.com/mobile-wireless/216895/more-bad-news-rim-playbook-os-update-delayed-4-months-or-maybe-forever

My google search: "RIM News", not "RIM Bad News", http://www.google.com/search?q=RIM+news

Google & MS would just laugh at the silly indians and their depreciation of individual privacy.

Re:Are people still buying blackberries

[Synerg1y]

Is your argument serious or are you just trolling?

Either way your completely speaking out of your ass. We're talking about the Indian government here, RIM is not based there, MS is based in the states, I'm still unclear as to whether your head is really that far up your ass to not be able to tell the difference between the two governments.

Also customers are #1 to an organization, try landing a real job that pays non-monopoly money to learn that or something. No customers, there is no organization for the government to harass.

Lastly, the login button is in the top right if you want to stand by your *ehm* argument.

Re:Are people still buying blackberries

[WNight]

Lobbying for favorable laws opens up markets, and part of getting favorable laws is doing whatever you're asked. So to get those #1 customers they'll do anything, even provide them a cut-rate service by allowing warrantless wiretapping, etc.

And they'll bow to whatever special interest makes it more profitable to deal than fight, from government to church groups.

There's no risk for the companies that do this. If someone was discovered to be in the KKK they might get beaten or killed, but build a product that allows Syria to make prisoners and slaves of its people and you're an A#1 citizen.

Following the law needs to be a minimum standard, not a free pass.

RIM sales already decreasing;not sure this'll help

[youn]

one of the only reasons it sales were still up was through enterprise phones which had insurance their communications were encrypted

Don't glare at RIM

[ackthpt]

The Indian government (among others) will twist arms of any and all carriers to get what they want. Even in the US the gummint will get what it wants one way or another.

Want privacy? Write your own encryption and scramble everything you share with your mates.

Re:Don't glare at RIM

[Flyerman]

You think they won't come knocking once they see that shit on the web?

Re:Don't glare at RIM

[CanHasDIY]

Want privacy? Write your own encryption and scramble everything you share with your mates.

Makes sense for the 99.999% of the global population who aren't cryptophiles...

Re:Don't glare at RIM

[Synerg1y]

No they won't, your tinfoil hat is on too tight.

Re:Don't glare at RIM

[bill_mcgonigle]

The Indian government (among others) will twist arms of any and all carriers to get what they want.

Twisting arms is exactly what it will take to get plaintext from a carrier that's carrying properly configured IMAP/TLS traffic, except it has to be the arm of the user or the server admin - all the carrier can do is block it.

RIM's architecture puts it as the weakest link in the real security model. Serious people have known this for a decade. So much so, that the Indians are only going to catch stupid and small-time criminals.

Re:Don't glare at RIM

[shutdown+-p+now]

Makes sense for the 99% of the population who don't really care all that much about privacy - at least as far as government access goes.

Re:Don't glare at RIM

[sitkill]

Are you sure about that?

And more to the fact, why would they? I don't believe any of their message transfering is encrypted, so why would India need to ask them for it? Note, blackberries encrypt by default. Also note, in the articles linked, they talk about Nokia giving access, so this isn't a blackberry only thing.

RIM is also not giving them access to the BES servers it seems, so they are pushing back....and to be honest, this ENTIRE slashdot submission is pretty much just here for more blackberry bashing (which seems to be pretty popular these days). This was originally announced 6 months ago, but now it makes the slashdot headlines.....

The Mumbai facility apparently deals with intercept requests for mostly consumer-facing services such as BlackBerry Messenger and email. However it is thought that BlackBerry enterprise email remains beyond(sic) the reach of Indian authorities, thanks to its higher levels of encryption.

Re:Don't glare at RIM

[CodeBuster]

Write your own encryption and scramble everything you share with your mates.

It's not necessary to write your own encryption. In fact, doing so is dangerous because without specialized knowledge and very careful programming, bugs or other weaknesses are all too easily introduced. No, there are already many fine open source implementations of various ciphers which are known to be secure. The problem in real world situations is always the key management. Indeed, most known breaches of modern ciphers have mainly come not from brilliant cryptanalysis, but rather attacks on the key management procedures. These can range from insecure operator procedures, bugged input devices and key logging programs to the ever ready rubber hoses when the authorities lack the sophistication and resources required by the former methods. In any case, it's probably easier for you and your mates to simply share in private without going over public networks. Have a LAN party and do your sharing there instead.

Re:Don't glare at RIM

[Sean]

TLS? That's backdoored if the client accepts keys signed by one out of a huge list of trusted CAs. And that's pretty much every major client.

Re:Don't glare at RIM

[Synerg1y]

Name one example in context of OP newb. Too scared to login coward?

Re:Don't glare at RIM

[bill_mcgonigle]

TLS? That's backdoored if the client accepts keys signed by one out of a huge list of trusted CAs. And that's pretty much every major client.

Yeah, like I said, "properly configured IMAP/TLS traffic". I think the organized criminals who have hundreds of millions of dollars at stake aren't going to be making these mistakes.

Setting up a CA is trivial at this point, and client-certificate TLS is getting better support. I guess one should inspect his mail client's source to make sure it properly prevents spoofed server connections if a different trusted CA's signed cert for the same host is presented. Thunderbird does the right thing here, I wonder about Android.

Re:Don't glare at RIM

[ajo_arctus]

If you want to guarantee that your secrets can be decrypted, write your own encryption.

Unless you are a genuine cryptography expert, any encryption scheme you come up with will be easily breakable. You could maybe use one time pads that are longer than your messages and swap/synchronise them in a safe way -- that'd be secure -- but it still won't work. If "they" want to know what's going on, they'll just torture you.

This is perfectly fine

[idiot900]

Nobody in the Indian government would ever consider misusing this surveillance capability. As we all know, Indian government workers do not take bribes, the rich and powerful only have the same rights as anybody else, and the Indian government has a long history of the utmost integrity. There is no reason for anyone using BlackBerry who is concerned about their privacy to switch to another provider.

Re:This is perfectly fine

[Kulfaangaren!]

"Nobody in the US government would ever consider misusing this surveillance capability. As we all know, US government workers do not take bribes, the rich and powerful only have the same rights as anybody else, and the US government has a long history of the utmost integrity. There is no reason for anyone using BlackBerry who is concerned about their privacy to switch to another provider."

There, fixed it for you.

Re:This is perfectly fine

[Opportunist]

Mine.

Vote me for dictator!

Don't worry

[mr1911]

This will be restricted to only legitimate reasons for data. There is absolutely no way it will be abused.

Re:Don't worry

[Opportunist]

I believe you.

Of course, my definition of "legitimate" might differ from theirs...

It won't work in India...

The last time India had a major terrorist attack, the perps used cell phones & sim cards that had never been used before. So there was nothing to tap until the day of the attack.

Terrorists aren't always dumb.

I read this as

[blair1q]

Here's what I saw in that article: "Rim entraps customers into paying to be spied on by their own government, and happily profits from it."

Because leaving profits on the table to do something ethical? Not Rim's business model.

Re:I read this as

[blair1q]

Is RIM the only manufacturer allowing the government to monitor traffic?

Or is it just the only one who tried to fight it, or could?

I suspect the government already has a sniffer on all the other systems.

Doesn't change my view of RIM's capitulation. They tried to keep their entire subscriber base, now they're willing to profit from delivering up those who haven't bailed.

Re:I read this as

[ve3oat]

I read it differently. Since the Indian government can already read the communications from all other brands of mobile phone, they have now asked RIM to help them break into the more secure transmissions from Blackberries. It was inevitable.

Re:I read this as

[TheGratefulNet]

all carriers and equip makers must give governments (and even powerful companies) ability to do DPI and MitM Bad Things(tm).

just routing packets is not 'fun' for companies anymore, nor profitable. they are ALL in the spy business. anything with a cpu, these days (ie, more than the $10 silicon home gig-e switches) will be doing DPI and triggering with hardware assist.

the new hotness is users (ie, owners, ie governments) writing their OWN apps that run *inside* the router/switch.

yeah, think of the great things (...) that they can do with wire speed access to bits on the wire and ability to write fast scripts that edit on the fly.

yup.

its here today. just pay for it and its yours.

And the next step?

[TubeSteak]

How long until criminal organizations setup Enterprise Blackberry servers?

Re:And the next step?

[hawkbat05]

Another option is to write an app implementing PGP using BB PIN messages with a BBM style UI. The only text they would intercept is a public key and base 64 encoded encrypted data. Even of they got one persons private key they'd only see half a conversation. Also, they wouldn't need their own server because they would just use RIM's as the transport. This probably wouldn't be too difficult for the more sophisticated groups. The problem with lawful access is it only catches the dumb ones, but still exposes the innocent.

Re:RIM sales already decreasing;not sure this'll h

[ackthpt]

one of the only reasons it sales were still up was through enterprise phones which had insurance their communications were encrypted

They appear to have nails being hammered into their coffin at a brisk pace.

I'd say this makes them a takeover target for ... Microsoft.

Why BB especially?

[doston]

The US government is able to go into any of the cell providers data side and look at anything with no warrant and no notice to the carrier. Both carriers I worked for provided back doors into the SMS/MMS platforms. The feds even had their own cutesy username (Leo) and password was equally adorable. Why bother with a warrant when you can just go look at the info, then if you see anything interesting, ask for the warrant. Apparently it saves Leo time. Marriage of corporations and governments = what?? That's right, folks.

Re:Why BB especially?

[jimicus]

Because Blackberry, IIRC, provide a messaging service comparable to SMS but using the phone's data connection. This messaging service offers end-to-end encryption.

Correction: Blackberry's marketing claimed it offered end-to-end encryption and that there was no way they could snoop on messages. IIRC they also told the Indian authorities something similar. The fact that this story is able to exist demonstrates that this is not true.

Can't say I'm particularly surprised myself. Telephony providers are more-or-less legally obliged to offer some sort of lawful intercept system in most countries; offering a phone for sale which provides a blatant run around that seems like an extremely good way to get your product banned in very short order.

Re:Why BB especially?

[narcc]

Had you actually read the article (this is Slashdot, I know) then you'd know that, as always, BES users are still secure.

See, RIM couldn't give them access to BES users data no matter how badly they wanted to. They simply don't have the keys.

To avoid the current privacy issues, BIS users in India can make use ot the many of third-party apps that provide additional security to contacts, sms, etc.

So, yes, in India (and just about everywhere else for that matter) Blackberry is still the only real choice when it comes to mobile security.

Re:Why BB especially?

[jimicus]

Funny, I could have sworn the iPhone (and Android for that matter) will happily check the certificate chain when establishing an SSL connection to their email server.

Re:Why BB especially?

[narcc]

There is a lot more to messaging security than just an SSL connection, you know.

When do the other shoes drop?

[tqk]

Does India's justice system have an equivalent requirement for warrants prior to wiretaps?

I wonder when the DHS and (Canada's) CSIS get their own monitoring centres?

Re:When do the other shoes drop?

[GameboyRMH]

You think they don't already have the capability? LOL!

Re:When do the other shoes drop?

[shutdown+-p+now]

According to this, which, as I understand, is the current Indian law on the subject:

"On the occurrence of any public emergency, or in the interest of the public safety, the Central Government or a State Government or any officer specially authorized in this behalf by the Central Government or a State Government may, if satisfied that it is necessary or expedient so to do in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of an offence, for reasons to be recorded in writing, by order, direct that any message or class of messages to or from any person or class of persons, or relating to any particular subject, brought for transmission by or transmitted or received by any telegraph, shall not be transmitted, or shall be intercepted or detained, or shall be disclosed to the Government making the order or an officer thereof mentioned in the order"

(which in practice has been extended by courts to apply to all modes of communication, rather than just telegraph)

However, my understanding is that material obtained through such wiretapping is not directly admissible in the court, so it cannot itself be used as a proof of wrongdoing.

Re:When do the other shoes drop?

[TheGratefulNet]

india's justice system.

hmmm.

I know those words on their own, but for the life of me, I just can't make sense of them together as a phrase.

Re:When do the other shoes drop?

[tqk]

I wonder when the DHS and (Canada's) CSIS get their own monitoring centres?

You think they don't already have the capability?

Up until a few months ago RIM was insisting that, due to the way BBs work, such monitoring centres were simply impossible - it couldn't be done.

Sad. I suspect this sounds the death knell for RIM.

Re:When do the other shoes drop?

[Jiro]

However, my understanding is that material obtained through such wiretapping is not directly admissible in the court, so it cannot itself be used as a proof of wrongdoing.

They will probably just use the standard dodge that's already used in the US: once they look at the inadmissible evidence and figure out who they want to search, claim to have received an "anonymous tip" implicating that person and search them based on the "anonymous tip".

Ahh, the challenges of RIM

[bobstreo]

Secure and highly available..

Re:RIM sales already decreasing;not sure this'll h

[wiedzmin]

Oh please, like other companies (Google, Microsoft, AT&T) don't let other governments (UK, Canada, US) read your "encrypted" email whenever they feel like it.

Re:Didn't RIM claim this wasn't possible?

That is how the Blackberry ENTERPRISE SERVER (BES) works. Indian gov't got access to Blackberry INTERNET Services which is what you use if you don't proactively connect to a BES server.

Re:RIM sales already decreasing;not sure this'll h

[youn]

Blah Blah blah :)... Dude, chill... this is slashdot... no one reads the articles even when there is just one... you actually want me to read 3 haha, you're funnnyyyy :) .. Some of us have a life you know :p... I swear I get out of the basement sometimes. YOu should try... your skin won't sparkle like a vampire, i promise. Anon, zometimez you can really be a pain in the butt/ annoying :p

Re:RIM sales already decreasing;not sure this'll h

[priegog]

Do you any sources to back these claims up? I'm genuinely interested...

S/MIME

[mr100percent]

All the more reason to use S/MIME or PGP/GPG to encrypt your email, and keep it out of government hands.

Re:RIM sales already decreasing;not sure this'll h

[Opportunist]

Huh? Who gave Google, MS and AT&T my private PGP key?

Re:Windtalkers

[Opportunist]

Mmm... given my experience with tech support, all they have to do is talk in English and nobody will be able to break the cypher.

Re:RIM sales already decreasing;not sure this'll h

[wiedzmin]

Here you go:

http://www.dslreports.com/shownews/ATT-Repeatedly-Helped-FBI-Break-Communications-Law-106553
http://www.wired.com/threatlevel/2007/03/fbi_confirms_co
http://www.itworld.com/security/216565/google-admits-it-would-give-your-data-feds-93-times-out-100
http://www.pcworld.com/article/190438/microsoft_stool_pigeon_for_the_cops_and_fbi.html