RIM Agrees To Hand Over Its Encryption Keys To India

An anonymous reader writes "BlackBerry maker Research in Motion's (RIM) four-year standoff with the Indian government over providing encryption keys for its secure corporate emails and popular messenger services is finally set to end. RIM recently demonstrated a solution that can intercept messages and emails exchanged between BlackBerry handsets, and make these encrypted communications available in a readable format to Indian security agencies. An amicable solution over the monitoring issue is important for the Canadian smartphone maker since India is one of the few bright spots for the company that has been battling falling sales in its primary markets of the US and Europe. In India, RIM has tripled its customer base close to 5 million over the last two years,"

Yes but this won't help

[Sir_Sri]

Part of the appeal of RIM was that you knew governments weren't out there stealing secrets sent across your network. I understand that India has a legitimate security need to be able to wiretap communications and so on. But this isn't going to 'help' RIM. This takes away the only major competitive advantage they had, which was that using RIM meant you knew no one in the indian government was going to steal your work and sell it to someone else (which is a serious concern in india).

If anything, this just levels the playing field. And that's bad for RIM, because they aren't competitive.

Re:Yes but this won't help

[Moblaster]

It's pretty clear what happened. They kept the keys secret and held out for a long time on "principle" because that was the best business decision at the time. Then, as the onslaught of iPhone and Android took its toll, the principle changed to survival, because that became the new best business decision.

It's sad, but at this point, it hardly affects any country but India anyway!

Re:Yes but this won't help

[Sir_Sri]

And in most other countries you aren't worried about the government stealing and reselling most of your secrets anyway. At least not your own government.

Re:Yes but this won't help

[narcc]

As has been pointed out over and over again, This Does Not Affect BES Users.

Everyone else is just as insecure as they always were. If you want security in India, RIM is still your only real choice.

More details here

Re:Yes but this won't help

Let's be real, they've just made it easier. Encryption is crackable, it just depends how much time & effort (and $$$) you want to spend on it.

Re:Yes but this won't help

[thePowerOfGrayskull]

As others have pointed out, this doesn't affect BES - they're as secure as ever in the enterprise.

Thing is, they've always given this level of access to governments (or we reasonably assume this is the case, anyway) for their BIS service The difference is officials in India needed to save face and made a big deal out of this - even though they're getting only what they were told they could get from the start, and certainly no more than any other government.

Re:Yes but this won't help

[EdIII]

I understand that India has a legitimate security need to be able to wiretap communications and so on.

No it doesn't. There is never a legitimate need to tear away freedoms in exchange for questionable gains in security. Ever.

Sorry to be pedantic, but we should never give any such behavior by a government any legitimacy at all.

Re:Yes but this won't help

[DaMattster]

No, there is no legitimate need to wire tap without any kind of warrant. India calls itself the largest democracy and it behaves in an authoritarian manner.

Re:Yes but this won't help

[AK+Marc]

If the people vote for authoritarian, does that make it non-democratic?

Re:Yes but this won't help

[Prune]

The article is misleading. The corporate service using Blackberry Enterprise Server has not been compromised because the encryption keys are controlled by the company deploying BES end-to-end. The company's IT generates the encryption key pairs when adding new handsets to the server. What's discussed only affects specific messaging over the non-business Blackberry service BIS.

Re:Yes but this won't help

[Prune]

They only have the keys to the non-business service. Corporate users deploying Blackberry Enterprise Server create their own key pairs when registering each handset with the company's BES server, and so control the encryption end-to-end. There are no third parties with access to these keys, making this far more secure than SSL, for example. The article is FUD.

Re:Yes but this won't help

[Sir_Sri]

This Does Not Affect BES Users.

No, being within india they are already subject to indian laws, and already have to hand over any enterprise keys they have stored within india if they're 'asked'.

If you're running your BES from outside the country then you might have a temporary reprieve, until the indian government gets wind of that plan.

Re:Yes but this won't help

[Sir_Sri]

Businesses in india will already be subject to indian laws though. RIM isn't subject to indian law, that's why they've been able to squabble over this as long as they have.

Re:Yes but this won't help

[Impy+the+Impiuos+Imp]

It's bad enough we have crap like the secret AT&T room for the NSA which filters all phone calls through it -- the government isn't monitoring opposing party's calls, trust us.

A country like India, which is still largely the desired place for college students to work -- so they can rise up and start demanding kickbacks. (Don't mod me down as a troll -- mod down the multiple Indian computer programmers who told me this was how it is.)

Not the greatest environment to feel secure your secrets aren't being sold off to the highest bidders.

Re:Yes but this won't help

[Sir_Sri]

Sorry to be pedantic

You're not being pedantic, you're living in a fantasy land. This isn't a legal treatise on just what should be the requisite standard for a wiretap, because that depends in large part on the details of the existing legal system. Wiretap rules in france and the US can be completely different but both reasonable. India has both the authority and a legitimate need to be able to wiretap communications in their own country. Suggesting they can't is wearing a tinfoil hat because you think they have satellites spying on you. Which sometimes they do.

Re:Yes but this won't help

[Sir_Sri]

No, there is no legitimate need to wire tap without any kind of warrant

I didn't talk about the requirements. Because 'requiring a warrant' is stupid. It's not stupid in the US legal system, but that doesn't mean that's appropriate for india, or oman, or the emirates or whatever. India has it's own legal system, it's up to them to decide what is or is not a sufficient condition for wiretapping, and that's a separate discussion.

Re:Yes but this won't help

[Sir_Sri]

Well now they don't have to call to waterloo, and argue over just what they need to get the data. Now they can do whatever they want.

Also, BES for indian companies is a separate issue, because companies already have to turn those keys over to the government because they're subject to indian law.

Re:Yes but this won't help

[narcc]

RIM doesn't have the keys to hand over. Again, see the link I sent. If you're referring to a company running BES in India being forced to give the gov't access to their communications, that's completely different and has absolutely nothing to do with RIM.

Still, the point stands. RIM is the only secure option -- the playing field has not be leveled.

Re:Yes but this won't help

[Sir_Sri]

RIM doesn't have the keys to hand over

Right, the company hosting the BES does. And has for a couple of years. For the moment if your BES is based outside of india you're 'safe', until the government figures out how to deal with that.

the playing field has not be leveled

It has. The situation is now no different from you running your own communications app on whatever platform(s) you want. If you're in india they can compel you to hand it over, if you base your servers outside india they can't do anything much to you, and you can't rely on RIM to provide you any inherent security.

Re:Yes but this won't help

[Sir_Sri]

which is still largely the desired place for college students to work

Relatively few graduates from outside of india want to go to india. When you're in india already then yes, governments jobs mean you can never show up and still get paid something, or you can use your position to try and enrich yourself with bribes.

Re:Yes but this won't help

[gl4ss]

sure that they don't ship a backdoor? that's essentially what they're asking for "This satisfies India's core demand that RIM provide intelligence and security agencies with automatic solutions to monitor all communication on BlackBerry smartphones on a real-time basis, an official aware of the development said."

it's a pretty crazy requirement for a device that allows programmable code and tcp/ip though.

Re:Yes but this won't help

Similarly, whether it's okay to randomly kill your own system depends on the state? They have their own legal system, so it's up to them to decide whether it's okay for police to spray bullets around for fun? No, this is moral relativism at its worst. It's always wrong for them to wiretap without judicial oversight; the difference between countries is whether their legal system gets this right or wrong, not whether the action itself is right or wrong.

Re:Yes but this won't help

At least not your own government.

Yeah, we're lucky the transmission is not easily interceptable by anyone with an antenna, let alone special-purpose satellites or listening stations all over the world. And even if a foreign government were to intercept it, they would have the decency not to abuse the information to give their own corporations an unfair advantage.

Re:Yes but this won't help

The Indian government have announced RIM's capitulation on the matter several times before. What makes you think they know what they're talking about this time?

Re:Yes but this won't help

[narcc]

I don't follow your reasoning? RIM still offers the only secure option, yet somehow they're just as insecure as the rest and thus a level playing field?

Moreover, how does RIM giving in to the Indian gov't on BIS snooping change anything at all about BES before and after they gave it?

Sorry, I just don't see how the playing field has been leveled in any way -- RIM is still way ahead in terms of security. They've been delt a blow, sure, but they've not been knocked down so far as to be on the same level as the rest of the players!

Re:Yes but this won't help

[fuzzyfuzzyfungus]

Part of the appeal of RIM was that you knew governments weren't out there stealing secrets sent across your network. I understand that India has a legitimate security need to be able to wiretap communications and so on. But this isn't going to 'help' RIM. This takes away the only major competitive advantage they had, which was that using RIM meant you knew no one in the indian government was going to steal your work and sell it to someone else (which is a serious concern in india).

If anything, this just levels the playing field. And that's bad for RIM, because they aren't competitive.

I suspect that it will help them more than being kicked out of the country, though it certainly won't improve their product in any absolute sense...

Re:Yes but this won't help

[somersault]

Why is RIM's option any more secure than using Exchange Activesync over HTTPS? I don't get the big deal when it comes to supposed BB security.

Re:Yes but this won't help

Excuse me, but what exactly makes the needs of a bunch of people sitting in a big, stone building more legitimate, then the needs of, say, the people sitting OUTSIDE the building? Let me guess what makes their needs legitimate: THEY DECIDED IT WAS SO.

Governments have always used the 'security of the nation' defense when they want to spy on their own people. That's bullshit. This is a 'security of my own ass' issue as the Indian government looks to undermine it's own, LEGITIMATE opposition.

Re:Yes but this won't help

No, there is no legitimate need to wire tap without any kind of warrant. India calls itself the largest democracy and it behaves in an authoritarian manner.

Well, India does have a large number of terrorist groups.

Of course, many terrorists are aware of the risk of electronic surveillance, which is why the Mumbai terrorists used cell phones which had been purchased in advance and never used until the day of the attack.

Encryption or no, electronic surveillance didn't help here at all.

Re:Yes but this won't help

[Hatta]

RIM is the only secure option -- the playing field has not be leveled.

In what way is RIM more secure than anything that implements OTR? e.g. Gibberbot on Android

Re:Yes but this won't help

This move could save RIM... governments like China's, India's, Pakistan's, Iran's, Syria's, etc. now have an ally to intercept communications... great business move, questionable ethical move...

Re:Yes but this won't help

Why is RIM's option any more secure than using Exchange Activesync over HTTPS?

The security of Exchange Activesync over HTTPS depends on the email client recognizing an invalid certificate, and on certificate authorities not issuing fake or duplicate certificates.

1. It has been demonstrated many times that certificate authorities sometimes issue certificates they aren't supposed to, either by themselves or through resellers. I'm sure some certificate authorities would issue fake certificates if asked/compelled by a government.

2. Sometimes fake certificates can be issued that appear to be genuine: http://www.pcworld.com/businesscenter/article/256742/flame_spread_via_rogue_microsoft_security_certificates.html

3. Many users, when prompted with an invalid certificate warning will just click ok.

That's why.

I don't get the big deal when it comes to supposed BB security.

The blackberry platform from end-to-end has been audited, tested and certified by many government & non-government agencies:

http://us.blackberry.com/business/topics/security/certifications.html

Iphone has been audited, tested and certified by... nobody.

Re:Yes but this won't help

[Sir_Sri]

RIM still offers the only secure option

No, it doesn't. That's the entirety of my reasoning. A BES isn't any more secure than any other product can be. And now you can no longer rely on RIM bouncing data through waterloo to keep it secure.

A BES, or ANY communications server hosted in india: has to turn over keys or just the data to the government if asked.
A BES or any communications not hosted in india: Can make a legal fight out of it, might not have to turn data over.
Any communications via RIM are insecure from within india.

Re:Yes but this won't help

[Sir_Sri]

so it's up to them to decide whether it's okay for police to spray bullets around for fun? No

yes actually. It is.

International treaties (which are laws that everyone agrees to follow) would preclude randomly murdering your own population generally, but a country is under no obligation to sign on to those treaties.

Re:Yes but this won't help

(Posting anonymously because my co-workers are RIM employees.)

Score 4 Insightful? Give me a break! Dude, you seriously have no clue about the Blackberry design.

RIM doesn't hold the encryption keys. The keys are stored in the Blackberry Enterprise Server that is located at each company's data center. RIM can't give up something that, by design, it never had in the first place. That's why the solution is secure from device to the company's on-premise deployment, with no "WAP gap". Yes it sucks that the Indian government is forcing a redesign so they can insert their probes into the secure channel.

But what are you going to do? At the end of the day, a company must comply with the laws of the countries it operates in. Put the blame where it squarely belongs: the Indian government, FULL STOP. Someone can post the obligatory XKCD comic about the bad guys defeating the elegant encryption by using a $5 wrench on the guy with the password. That's what's going on here. I know the folks here like to fantasize about full encryption and thumbing their collective noses at authority, but we live in the real world where there are both real customers who expect a reliable solution and real authorities who can throw you out without so much as a "thank you ma'am."

So nice try, but no biscuit for you.

Re:Yes but this won't help

[narcc]

You're really stretching here. Sorry, but when it takes manpower and possibly complex legal action (to say nothing the expense!) for the Indian gov't to read my messages while it takes virtually no effort for the Indian gov't to read messages on other platforms, my platform is more secure.

It's like saying Fort Knox is just as insecure as my tool-shed because a highly-trained team of tactical and explosive experts explosives could get in if they really tried.

Sell now

[isopropanol]

Too late to short the stock. There went any remaining perception that there was any reason to choose Blackberry over an ActiveSync or IMAP capable device.

Re:Sell now

[ceoyoyo]

It seems to me VPN or IMAP over SSL has all the advantages of BB without the risk they'll sell you out. And has for some time.

Re:Sell now

Too late to short the stock. There went any remaining perception that there was any reason to choose Blackberry over an ActiveSync or IMAP capable device.

Except, if you bothered to actually investigate the matter, it wasn't true.

Re:Sell now

ActiveSync

If you're using ActiveSync, you could probably just as easily use BES or BESExpress (FREE!) - both of which would prevent the Indian government from snooping on your stuff.

Re:Sell now

[JoeMerchant]

I have noticed that news-reaction stock market swings are more responsive to the general public's perception of a news item than they are to the opinions of technical people who may, or may not, have a better grasp of the future business implications of a piece of news.

In other words, betting opposite of the sentiment you read on /. is likely to bring you better than average returns.

Re:Sell now

[LordLimecat]

I hope you arent in a position where you advise anyone on IT.

Active Sync's security is in LARGE part dependent on the security of SSL. For a HUGE number of organizations, those SSL keys are self-signed, which provides about the same security of WEP. All that is needed to break in is to somehow get the device to reach out to your server, and then have your server present a similar self-signed cert. Even if you are using a "proper" cert, you can be "easily" bugged by a government, since a large number of governments are considered trusted root authorities (including China); this means they can generate their own certificate, claim to be your Exchange CAS, and your device will happily talk back and forth with it. Presumably at that point your device would authenticate to that rogue server; Im not clear in what form the credentials would be sent, but we're already into "danger" territory.

On the flip side, with a proper BES (which is NOT what is being discussed in TFA), SSL simply isnt in the loop. All communications are relayed through RIM, but the encryption keys (up to AES-256) are held completely internally. I believe (though I could be wrong) that each device has its own key which is derived from the master key, so under the absolute worst conditions someone could sieze a blackberry and -- shockingly-- have access to that user's email. But of course, they'd have to get around the in-memory encryption and flash encryption that a security-sensitive organization would obviously have enforced on their blackberries.

At the end of the day, if absolute security is a necessity, you probably dont want your employees running around with smartphones, but if you do, youre using Blackberry / BES because there STILL isnt a good competitor in that range. Plus, if we're completely honest, most androids are touchscreen, and touchscreen devices simply arent as good at fulfilling the role of business communication device. They have other perks, but from personal experience I can say that they are a massive letdown when it comes to email and phone.

Re:Sell now

[LordLimecat]

PS, if you think IMAP is a serious competitor to what a BES does, you are even more in the dark than I originally thought.

Re:Sell now

What we need is a completely free phone. From the modem on up and a one way paging system that can only receive information and works on a huge scale. I know this doesn't exist today although that is still something we need. Instead of receiving a call we should be receiving a millions of tiny codes. If your device receives your code it turns the modem on and connects to a waiting caller whom is on hold. This way you don't have to worry about governments tracking your every move. You also don't have to worry about back doors. You can also then implement a proper security system which does not rely on any company for security. Or there are multiple operators (think VPN + voip so that the cellular provider has not control).

Re:Sell now

[bill_mcgonigle]

It seems to me VPN or IMAP over SSL has all the advantages of BB without the risk they'll sell you out. And has for some time.

yeah, I was pointing this out to clients as early as 2004. I had a working IMAPS client on a Treo 650 at the time. They wanted Outlook integration over security (despite always talking about their multi-billion-dollar IP that had to be protected at all costs). Lesson learned: most people don't care about security, they just say they do.
 

Re:Sell now

[isopropanol]

Setting up a private CA and removing default CAs != self-signed cert. SSL can be set up securely.

Re:Sell now

Lesson learned: most people don't care about security, they just say they do.

Just like when a woman says she wants a "nice guy", then dates ten douches in a row that abuse the fuck out of her, all the while her bitching about the douches to a nice guy who she coincidentally isn't at all interested in.

Moral of the story: Corporations are full of the crazy!

(Apologies in advance to my opposite gender. Just got a call while reading this article from just such a person whom (I thought) I got over a decade ago... Clearly I was mistaken) :/

Re:Sell now

All that is needed to break in is to somehow get the device to reach out to your server, and then have your server present a similar self-signed cert.

And if the malicious server presents a cert signed by Verisign then you're in the same position; the device will trust it implicitly if the CA's root cert is in its store and will happily connect to myc0mpany.com instead of mycompany.com.

That's not a problem with self-signed certs, that's a problem with SSL

Re:Sell now

Related
http://www.craigslist.org/about/best/lax/483318927.html

Re:Sell now

[LordLimecat]

Which is why its a good thing that BES doesnt use SSL certs.

Re:Sell now

You should've just told them you could make Outlook secure for $X and then told them you'd made some sort of change without actually doing anything. It's doubtful that they'd review everything. You could get money for nothing.

Re:Sell now

Ouch. "Run, Forrest, run!"

RIM's private keys

[whoever57]

So, basically, RIM is handing over its own private keys, with corresponding public keys built into all Blackberries, worldwide, to a government agency.

Why don't they just do it the simple way and post their private keys on their website?

Re:RIM's private keys

[radiumsoup]

give it a few days and someone will do it for them.

Re:RIM's private keys

[LordLimecat]

Once again. For the last time....
RIM does NOT have the encryption keys used by BES servers. Those keys are held internally by businesses only, and those are then used (along with "random" data) to generate the device keys. Even if RIM somehow had the organization's master key, they wouldnt have access to the "random" data that was used to derive the device key (which is pulled from that "wiggle your mouse around for a while" procedure).

In other words, BES servers continue as unaffected as before. Call me when India figures out how to large-scale crack AES256 with unknown keys.

Re:RIM's private keys

It doesn't matter who has the keys. RIM controls the encryption software, the decryption software and the transport. In order to encrypt/decrypt for the user, they need the key that is on the device/server. You have no guarantee that RIM will not send these keys somewhere in order to satisfy some business need, legitimate or not. I think that "some other company figured this out" is a red herring to convince people that RIM isn't just doing it themselves and exposing the weak link in PKI -- you have to trust the entity doing the encryption/decryption not to do bad things with the key during the short time they can see it.

Re:RIM's private keys

[LordLimecat]

What you are describing is BIS. With B_E_S-- Blackberry Enterprise Server-- you run the server that is ultimately the endpoint for the blackberries. When you install the software, it creates its master encryption key; when you tie new devices into it, it uses that key to derive a per-device encryption key.

All data is sent thru RIM, yes-- but only after it has been encrypted by YOUR server with a key that RIM never gets a hold of. There isnt any question of RIM's goodwill here, but of their inability to crack 3DES or AES (depending on your settings), and their lack of knowledge of your keys. All RIM is doing is providing the transport, as you said-- they are not involved in the encryption process at all.

If you are asserting that you think that key gets leaked, be prepared to give some proof.

Nothing like giving in...

[theNAM666]

... to a democratically elected government...

Re:Nothing like giving in...

[Sir_Sri]

The government in india is democratic, but that doesn't make it any less corrupt to the bone. I wouldn't trust anyone in the indian government with my business secrets. Including my own relatives (who are in the civil service).

India is fully entitled to demand wiretap access. Democratic or not. But the whole reason to choose RIM over a competitor in india was precisely because the government couldn't get into the system, because you can't trust people in government to not just steal your secrets and sell them.

Re:Nothing like giving in...

[MightyMartian]

To a very corrupt democratically elected government. The keys will be in the hands of Russian mobsters in a few days.

Re:Nothing like giving in...

[Opportunist]

Democratically elected doesn't mean jack anymore, if it ever did. Do you know any democratic government that's not for sale to the highest bidder?

Re:Nothing like giving in...

[theNAM666]

Evidently I should have enclosed the above in tags.

Re:Nothing like giving in...

[theNAM666]

*sarcasm* tags. (original filtered out by /. darn editing software)

Re:Nothing like giving in...

[theNAM666]

/me evidently thought that *sarcasm* tags were not necessary for this audience. Don't know why...

Re:Nothing like giving in...

[Desler]

Then you did it wrong. <sarcasm></sarcasm>

Re:Nothing like giving in...

India's corruption puts any Western government to shame. Want to get anything done? You WILL pay a bribe, and a good one at that, down to the "untouchable" cleaning out poop out of the sewer.

The caste system still stays there, same with the attitude of helping people is considered bad juju since it interferes with their divine punishment.

Also remember: India isn't a friend to the West. During the Cold War, they were doing their best to cozy up to the Russians, and were willing to do almost anything for them.

India demanding keys from RIM is no surprise. I'm sure that any US or European messages in that region will wind up in the hands of them, or their Chinese buds.

Makes you want to trust the broken CA system in SSL/TLS. At least you can possibly dump all other CAs and use your own root certs with have your own trust, as opposed to RIM's "trust us, or buy a new device". Oh... run a BES backend... sure. Like anyone bothers with that.

Re:Nothing like giving in...

[Cosgrach]

Most of the people here on /. would no know sarcasm if it were to bite them on the ass.

Re:Nothing like giving in...

[AK+Marc]

Sarchasm. The gap between you and the joke.

Sargasm. When your joke makes you laugh a little too hard.

Re:Nothing like giving in...

[theNAM666]

Perhaps we could arrange for them to be electrically shocked while it bit them on the arse, and simultaneously, offer the smell of raw steak.

Re:Nothing like giving in...

[0ld_d0g]

India's corruption puts any Western government to shame. Want to get anything done? You WILL pay a bribe, and a good one at that, down to the "untouchable" cleaning out poop out of the sewer.

If you belong to the banker "caste" in the United States.. the laws apply differently to you. You can steal from the people, defraud them, gamble their pensions on the stock market, and then get bailed out by the Government .. and never ever have to face any kind of criminal investigation.

If you belong to the executive branch "caste" you can do anything you want, including assassinate your own citizens abroad via drone strikes. You can lie your way into invading and killing civilians in other countries and much much more.

I think I prefer paying a small bribe to some poor dude so that he can feed his family.

The caste system still stays there, same with the attitude of helping people is considered bad juju since it interferes with their divine punishment.

Um.. what?

Also remember: India isn't a friend to the West. During the Cold War, they were doing their best to cozy up to the Russians, and were willing to do almost anything for them.

Why should India befriend the Western powers that colonized and oppressed them? Makes no sense...

India demanding keys from RIM is no surprise. I'm sure that any US or European messages in that region will wind up in the hands of them, or their Chinese buds.

Uh.. yeah.. because without RIM.. there is absolutely no means of sending a secure message to anyone. None-whatsoever ! Oh no ! What are we going to do now !

Re:Nothing like giving in...

Wow, defending the bribe system? And we wonder why that country still ends up not able to climb out of the Third World even with some of the brightest minds and best talent in the world. Bribes are why that country can't even get a working electric grid deployed, because without every official having their palm properly greased, nothing gets done. The West isn't perfect, but it is a lot easier to pay people proper salaries and get something done than have to worry if a project leader "tipped" every single person in an area properly, down to the dogcatcher.

It amazes me that people come out of the woodwork to defend such a corrupt government. This is a government where if someone is declared "dead" either accidentally or "accidentally", it can take a decade before they reach a court before they can prove they are "alive" and gets the persona non-grata status removed.

With this rampant corruption, and the fact that anything that hits India's way ends up in China, one is far better off with a self signed key system and SSL, or even trusting non-Indian CAs.

India is a lot like the US: Awesome people, horrific government.

Re:Nothing like giving in...

[0ld_d0g]

I am no expert in the internal politics of India but I don't think bribes have anything to do with the current low status of the country on certain indicators. I think a lot of harm was done by colonization and its just been what .. 40-50 years since they become a country. I'd wait and see what happens in about 100odd years when there has been a change of a few generations in the population.

Also, I am not defending the bribe system, I am defending the degrees of outrage when comparing bribes with your elected officials committing criminal acts in your name, sabotaging governments in the middle-east and the like.

 

Actually not quite?

According to this article in The Register: http://tinyurl.com/d2zllzk - they don't have the keys to hand over

So how long?

till these keys get leaked?

As if people needed another reason to jump off of RIM.

Not quite the full story...

[Shabbs]

Please, the BES keys have not been handed over... because they can't be...

http://crackberry.com/rim-encryption-keys

BIS != BES.

Re:Not quite the full story...

[sphealey]

"I did not steal the stocks or the bonds"

_Tales of the Black Widowers_, Isaac Asimov

Re:Not quite the full story...

[whoever57]

Please, the BES keys have not been handed over... because they can't be...

I don't know how BBs work, so this is pure speculation, but when connecting to a BES server, does the device require a specific key that is tied to that server, or merely any valid key? If the latter, then a man-in-the middle system could allow connections to BES servers to be spied upon.

Re:Not quite the full story...

[Shabbs]

It needs a specific key. A BES connection is secured by a key-pair that is generated when the BlackBerry is added to the BES. This allows for the 3DES encryption to occur for all communications over the BES connection.

The situation you're talking about applies to BIS where any handset can decrypt the encrypted messages.

This mis-understanding of the differences between BIS and BES lead to a lot of FUD unfortunately.

And you know Apple is keeping an eye on this... cuz India will be coming after them too for access to their iMessage comms, if they have not already done so.

Re:Not quite the full story...

[LordLimecat]

Note that BES servers by default use 3DES and (i think?) MD5, but can with the click of a button be transitioned to AES / SHA.

Re:Not quite the full story...

And you know Apple is keeping an eye on this... cuz India will be coming after them too for access to their iMessage comms, if they have not already done so.

Interesting that RIM has been in the news for this. Android and Apple have not. Hmm....

Re:Not quite the full story...

BIS, BES, doesn't matter in my book.

That RIM gave in (and that India demanded) at all is still BS.

Re:Not quite the full story...

Note that BES servers by default use 3DES and (i think?) MD5, but can with the click of a button be transitioned to AES / SHA.

False.

Out of the box a BES is configured to support both AES and 3DES, and will default to the strongest available (AES) if the handheld supports AES (ie, the blackberry is less than 10 years old).

Why? A long, long time ago, there were some blackberry handhelds that only supported 3DES, and they could still work today.

But these days 3DES is never used, unless the BES admin does something stupid like disable AES entirely.

Re:Not quite the full story...

[Prune]

BES has been using AES by default for many years, and will only use 3DES for decade-old handsets that don't support AES.

Re:Not quite the full story...

[Prune]

I don't get it. Care to clarify?

Re:Not quite the full story...

[sphealey]

I wouldn't want to spoil the story for you, but the point is that one must read announcements of this type very carefully as there is generally far more hidden in them that appears on the surface. So your assurances are not entirely... reassuring.

sPh

Re:Not quite the full story...

[Shabbs]

Yeah, my bad. An old throw back reference to the good old days. ;)

Re:Not quite the full story...

[LordLimecat]

My statement was based on (I think) the days of 4.x-- It is possible you are correct with regard to 5.0.

Moral of the story

[characterZer0]

Moral of the story: If you do not control end-to-end encryption yourself, it is not secure.

Re:Moral of the story

[Opportunist]

In this case you don't even control ANY part of the encryption, not even on your end. Something that is the absolute bare minimum for any kind of security.

Re:Moral of the story

[Lehk228]

if you want to control end to end get a BES

Re:Moral of the story

if you want to control end to end get a BES

Oh ffs think. What if you are sending messages to someone on bis?

Rim just fucked itself

Re:Moral of the story

[JoeMerchant]

Moral of the story: If you do not control end-to-end encryption yourself, it is not secure.

This ^ period.

Re:Moral of the story

Anyone who uses "This" with an arrow is gay.

Re:Moral of the story

[psiclops]

This ^.

I'm glad i'm not the only one that gets annoyed by that.

Re:Moral of the story

^ This ^

Re:Moral of the story

[Prune]

Except there's no story here, as BES, the service that corporate Blackberry deployments use, _is_ end to end--the encryption key pairs are generated by the company that deploys a BES installation, and neither RIM nor anyone else has access to them, unlike SSL certificates etc. The article is about the consumer BIS service and doesn't affect enterprise.

Re:Moral of the story

[v1]

as BES, the service that corporate Blackberry deployments use, _is_ end to end--the encryption key pairs are generated by the company that deploys a BES installation, and neither RIM nor anyone else has access to them, unlike SSL certificates etc.

Everyone in this thread seems to assume that all SSL keys are generated and provided by public CAs, who then could leak your private key. You can roll your own anytime you want. Then just tell the users and your servers to trust your public key. Works the same way for IMAP as it does for HTTPS.

Quite a RIMjob...

Which will take down the rest of the RIM jobs at the end (to end crypto :)

Did any of you yahoos bother to read the article?

"RIM recently demonstrated a solution developed by a firm called Verint that can intercept messages and emails exchanged between BlackBerry handsets, and make these encrypted communications available in a readable format to Indian security agencies..."

Re: Not BES, and only India

[gnoshi]

And it is probably also worth pointing out that this means that RIM's BIS service provides better content protection than SMS/MMS, unencrypted email (which is virtually all e-mail, and indeed all Android phones using the inbuilt GMail app), and almost any IM out there. I've also missed other equally unprotected means of communication.

Why? Because at least BIS is encrypted in transit to and from RIM. (To be fair, services like MSN Messenger in which all messages go through a central server could be considered more secure than BIS communications, as long as both clients are connecting to the server via SSL).
Hell, even BB PIN-to-PIN messaging is more secure than many or most of the aforementioned modes of communication.Yes, the key used for encryption is present on each and every handset - but random MITM sniffer can't get the content without at least having to decrypt it.

Sure, an Android user could get TextSecure for encrypted SMS, but does anyone actually know anyone who USES this tool?

It's OK...

[tlambert]

Half the country has been unable to recharge their Blackberries for two days in a row anyway.

But this is India we are talking about

[Taco+Cowboy]

Encryption is crackable

 
True, encryption _CAN_ be cracked, by hook or by crook
 
If it's USA, with its seemingly unlimited resources (NSA and the like always get a blank check from the congress for whatever black programs they initiate), I would agree with you.
 
But you almost forgot one thing, this is INDIA we are talking about - a nation which nearly 30% of its population still living below one dollar a day level
 

Re:But this is India we are talking about

[JoeMerchant]

Encryption is crackable

True, encryption _CAN_ be cracked, by hook or by crook

Are you talking about this form of cracking? Because, with a sufficiently long secret key, it is proven impossible to break.

I like using long period PRNGs to make an effective one-time pad. How you initialize the PRNG is your key.

Re:But this is India we are talking about

[compro01]

In other words, you use a stream cipher.

Re:But this is India we are talking about

[JoeMerchant]

Yes, and brute forcing the stream cipher key can take a very long time.

2^19937 is a big number.

Re:But this is India we are talking about

[ComaVN]

You just told all of us your method, and we didn't even need to use a wrench.

One time pads are only unbreakable when they're generated with a true random source. What you described is a stream cipher, and as long as you know the key to initialize the keystream, it can be forced from you.

Of course, if you do have a true one-time pad, the location of your copy of it can be extracted just as easily. I'd say the only way to protect against that is to make sure no-one knows you use crypto at all.

Re:But this is India we are talking about

Someone doesn't understand encryption. If you have a decent crypto system then you can tell the world how it works and it doesn't make a bit of difference, because you aren't getting the data without a key.

If crypto worked the way you think it does then everyone using AES would be screwed because you can download a full description of the algorithm and source code.

Re:But this is India we are talking about

[hxnwix]

By telling us his method, he lost the advantage of his method vs just using AES. IE, if we don't know how he generates the stream against which his data is XORed, that stream might as well be a one time pad. But now that he told us, the problem is reduced to brute forcing the initial stream generator parameters.

Re:But this is India we are talking about

[ComaVN]

That was not my point at all.

JoeMerchant was implying his crypto method was perfectly safe against cryptanalysis because it's a one-time pad. However, in the same post he tells us he's not using a one-time pad at all, but a stream cipher.

Re:But this is India we are talking about

[hlavac]

You are naive. It only takes a few bytes of known plaintext to get your key.

Re:But this is India we are talking about

[kbolino]

No encryption scheme is "proven impossible to break" because no (usable) encryption scheme is unbreakable (if you consider a random stream to be encryption, then in that case it would be unbreakable, but it would be useless). The one-time pad is only proven to be perfectly secure from an information theoretic perspective, which simply means that the only way to break it is through brute force. However, brute force still remains a viable option: if you can guess the key, you can decrypt the information. For that reason, when OTP is used in practice, the data is often obfuscated (by being padded, compressed, or even encrypted with another, less-secure cipher) before being encrypted.

To be fair, it looks like Wikipedia has this wrong, too.

Re:But this is India we are talking about

[void+warranty()]

Well, he admitted to using mersenne twister for generating the keys. Mersenne twister is not designed for cryptography so it's quite possible it's relatively easy to crack. From wikipedia: "Observing a sufficient number of iterates (624 in the case of MT19937, since this figure is the size of the state vector from which future iterates are produced) allows one to predict all future iterates."

Re:But this is India we are talking about

[VortexCortex]

Yes, and brute forcing the stream cipher key can take a very long time.

2^19937 is a big number.

I do hope you're not just XORing the p.random stream with the data. At least initialize a 256 byte cipher table via key expansion, and transform the enciphered bytes with it as well. Additionally use cipher block chaining such that the next block depends on knowing all previous blocks, and you don't reveal the 8bit block cipher mappings.

PRNGs were not meant to be used for crypto, and unless you're using a robust crypto framework in addition to the randomness generator, then your "2^19337" is just an illusion -- Bruteforcing isn't the only way to reveal the cipher internals. The bit strength is not the period of the generator, it's the total bits of internal state. Making such a flawed assumption is a novice mistake. I wish you well on your journey to becoming a cryptographer, but for now you should really just use the established algorithms.

Due to the nature of psuedo random number generators, a known plain text attack can tell us everything we need to know about the next iteration of your cipher.

Re:But this is India we are talking about

[Golddess]

Someone doesn't understand encryption. If you have a decent crypto system then you can tell the world how it works and it doesn't make a bit of difference, because you aren't getting the data without a key.

Unless I misunderstand, JoeMerchant wasn't describing how the crypto worked, he was describing his personal method of coming up with a key.

Re:But this is India we are talking about

Or if no one knows you exist, that's another layer of security. Then if you employ steganograpyhic technique, even if you come to light, the message is hidden. Then if it's also encrypted with a truly randomly generated (which is impossible, but you can get close enough for practical purposes,) one-time pad cypher, you have yet another layer of security.

To review, you generate your random cypher key, encrypt your message, bury that so that no one can tell trivially that it's there, then send it in a way that brings no attention to yourself, so that it doesn't occur to anyone to brute-force attack YOU for the details of your cryptosystem and the key.

Waaay better than depending on RIM's secure-until-someone-threatens-our-bottom-line encryption system. Before long, someone will mention RIM in a conversation, and someone else' most common reply will be, "Who? You mean they're still in business?!? Or are they like Circuit City or Schwinn, where it's not really the same company, someone just bought the rights to the name..."

Re:But this is India we are talking about

[CimmerianX]

Give the US time..... Removal of all unions and government protections for workers in the name of "job-creating-free-enterprise", and we can also achieve that #0% number as well.

Re:But this is India we are talking about

[JoeMerchant]

Due to the nature of psuedo random number generators, a known plain text attack can tell us everything we need to know about the next iteration of your cipher.

Yes, of course, if the same key is reused (many times over LARGE messages). Also, encrypting a long stream of nulls is a great way to help a cryptanalyst break a stream cipher. There is a long list of ways to misuse stream, block, and all manner of cipher schemes. I am not alone in use of PRNGs for stream ciphers.

I do believe that CryptMT faces a certain amount of negative pressure for real-world use because it is virtually impossible to brute force, if you use long keys. Most of the popular cipher schemes seem to dance just outside the realm of practical breaking - AES128 demonstrated broken by a large cooperative, well AES256 must be good enough?

Re:But this is India we are talking about

[JoeMerchant]

Read up on CryptMT (which is copyright, so I use a non-IP protected variant with similar security properties.) Write me back when you have brute force tried 2^19936 keys on a trivial stream, then try that on a stream that starts at a key-selected point in a large image file, lots of data to load into memory just to "try" each key, increases cost of breaking considerably.

Since I am a US citizen and marketing a Crypto product for export, I have agreed to reveal the algorithms to the Department of Commerce upon their request (they haven't requested, yet). Before you get all indignant about the invasions of personal freedoms by the US government, etc. etc., consider what other nations of the world do.

Not revealing the algorithm makes cryptanalysis harder, but the central assumption is that, whether by reverse engineering of the code, coersion, or other methods, the algorithm will someday be revealed. Even when that is true, you still need the key. For personal private communications, I think a relatively weak 56 bit key is appropriate (would take your little sister, using tools downloaded from script kiddies, several weeks using Daddy's 2012 engineering class PC 24-7 to break one message). If the contents of the message are of high value, you can always use the "breakable" outer layer to conceal a message encrypted with stronger methods. If you have a lot of communications encrypted with "breakable" crypto, it makes it harder to find that one "breakable" message that contains a hard (or impossible) to break core.

Mostly, I just don't want my ordinary private communications (things I would normally not say over a megaphone in a packed stadium), indexed, archived and searchable for less than a penny per thousand words. Strictly speaking, I don't have anything "to hide", but I think it is indiscrete to use clear text on GMail if you don't want to see your words on MSNBC in a few days.

Re:But this is India we are talking about

That's not an effective one-time pad; the FAQ on the web site you linked to specifically states that their RNG is not cryptographically secure. You're probably okay anyway, but don't kid yourself: what you're using is security through obscurity, not good crypto.

Re:But this is India we are talking about

[JoeMerchant]

If you're really interested, try reading a few pages here the summaries are short and easy to understand.

Re:But this is India we are talking about

I like using long period PRNGs to make an effective one-time pad. How you initialize the PRNG is your key.

You understand that you need to hash the output of your PRNG before XORing with it, right? Just checking...

Re:But this is India we are talking about

[Meski]

Which in terms of cost, makes it more affordable. Hell, the NSA have probably outsourced this to India already.

Why hand over the keys themselves???

Even if the keys just decrypt indian blackberries (not sure do they just do indian bbs?) why hand them the keys so they can decrypt
everything by themselves? Why not make them ask, possibly on a self-service site for what they
want decrypted? And why not charge them a fee for it as well as many cell phone companies
charge fees for wiretaps? Sure theyre not going to like it as the question is often as interesting as the
answer in intel but who the hell are these indian fucks anyway, why should they not have to "share" what
theyre interested in with us intelligence?? I'm sure if they knew every request they make is made known
to other agencies, they would think twice about asking for things.

Who does it effect?

[jago25_98]

I think we need to make clearer what exactly the impact of this is.

Does an Indian businessman who bought a Blackberry in SouthAmerica and is working in Europe be assured on some level of privacy on communications?

Does an American businessman with a Blackberry bought in the USA visiting India on the way to China need to rethink how company documents are transmitted?

Not very clear, especially as the BIS keys can't and therefore haven't been handed over.

So we have a new server in India, but what is being routed through it?

Re:Who does it effect?

Does an Indian businessman who bought a Blackberry in SouthAmerica and is working in Europe be assured on some level of privacy on communications?

Are they in India? Do the Indian authorities have a reasonable argument for jurisdiction? From what you've said, no, they don't.

Does an American businessman with a Blackberry bought in the USA visiting India on the way to China need to rethink how company documents are transmitted?

Do you think for a second that the US government would be comfortable with running entire wings of their government on BlackBerry if this was the an issue?

Re:Who does it effect?

[epiphani]

My god these posts are annoying.

Does an Indian businessman who bought a Blackberry...

Does an American businessman with a Blackberry...

Do they have a BES? If they have a BES, nothing to worry about. Next question?

Re:Who does it effect?

If you are an American businessman with a North American phone & carrier & BIS account, your BIS account goes through an entirely different data center than the one an Indian user's data goes through, ditto for China. Your payment to the carrier to have signal (roaming charges or whatever) would be your own problem of course, but there are several 'world phone' options that would work seamlessly.

Now if you buy a new SIM while you are in Indian that uses a local carrier, and you have to add your email accounts to it, that would be a phone using the Indian data center. . .

Re:Who does it effect?

When a Brit going from point A to point B by a plane within his/her country, or an Indian sending money from South America to India, or an Australian calling home from the US (or even Canada) are sure that our TLA don't know about it, the persons you mention can also be assured of privacy. Assuming or expecting or demanding privacy from other Governments while we let our government demand an collect all sorts of information about foreigners (and us too) is naive at best but normally arrogance.

Re:Who does it effect?

My god these posts are annoying.

No kidding. It's "Whom does it affect?". Sheesh...

Re:Who does it effect?

[somersault]

Email account details are stored on your phone, not the SIM. Switching SIM would be the equivalent of say switching from one public Wi-Fi connection to another. What you said in your second paragraph doesn't make much sense.

Re:Who does it effect?

For the paranoid BES customers, there is the transcoder feature that allows customers to implement their own crypto before it goes over the wire. The French government uses this feature.

Re:Who does it effect?

For the paranoid BES customers, there is the transcoder feature that allows customers to implement their own crypto before it goes over the wire. The French government uses this feature.

Blackberries also support the use of PGP or S/MIME on top of their regular encryption.

The S/MIME support is free and works out of the box, but PGP is a paid option.

Saving Face

from the fine article:

"But he said there was no access to secure encrypted BlackBerry enterprise communications or corporate emails as these were accessible only to the owners of these services."

The reality is BES uses keys assigned by the owner of the BES server, RIM HAS NOT and CAN NOT give those to anyone, because they dont know them. This has been RIM's position from the begining, and still is. What they HAVE done is give access to the messaging services they run (and therefor have keys to) to the Indian authorities. My understanding is that this was always the case. The article really does not make the distinction between the two clear.

TLDNR: RIM gave what they always give anyone, some minister is useing it to try and save face. Poor reporting means it worked.

Re:Saving Face

[Prune]

Indeed. And even for messaging, if you're using BES, then you can use your own keys for PIN-to-PIN messaging and then it's fully secure. This article is mostly FUD.

Re: Not BES, and only India

[Mr.+X]

Are you saying that email sent via the Android GMail app isn't encrypted between the device and Google's servers? I can't believe that would be the case, since they made a big deal about forcing people onto SSL for web access to GMail quite a while ago.

Re: Not BES, and only India

Are you saying you trust your smart phone to have only real, valid intermediate ssl certificates? Or are you so ignorant to think that governments aren't trying to man-in-the-middle SSL like crazy, especially on mobile networks.

Re: Not BES, and only India

They don't need MITM; they have the CA private keys.

Re: Not BES, and only India

Are you saying that email sent via the Android GMail app isn't encrypted between the device and Google's servers?

Of course it is. But the govt of India could easily force a local certificate authority to issue a fake ssl certificate for MITM snooping, or the govt of India could just ask Google to hand over the data (and Google will).

That is part of the beauty of the Blackberry Enterprise Server platform - RIM does not have the decryption keys, so if the a govt comes with a court order, there is nothing for RIM to hand over.

My name is Patel, and I read all your email !

If this isn't the final nail in the coffin for RIM, I don't know what is.

Any company that would do this deserves to go under.

Nortel ? Meet your new room mate, Mr. RIM. He had a
good run for a while but now he is wondering where his
next meal is coming from ...

Is there any point?

[apcullen]

What's the point of paying extra for blackberry service if it's not secure? Isn't that what people have been paying for?

Indiatimes = World Weekly News.

Seriously, WHAT fucking non-existent encryption keys? This paper regularly publishes stories in its "science" section that assume that the existence of UFOs, ESP, aliens and time travel are established proven facts in no doubt to anyone.

Misleading title

[gagol]

Should read "India claims RIM gave encryption keys, RIM strongly denies". http://www.theregister.co.uk/2012/08/02/rim_keys_india/

Re: Not BES, and only India

[Stewie241]

Sure, BES has that advantage. GP was responding to "unencrypted email (which is virtually all e-mail, and indeed all Android phones using the inbuilt GMail app), and almost any IM out there. I've also missed other equally unprotected means of communication. Why? Because at least BIS is encrypted in transit to and from RIM"

i.e. he was refuting the statement that Android phones send email unencrypted. This isn't true. Email is encrypted on the route to Google's servers. What happens from there is dependent on the eventual destination. This is the same standard that BIS meets, right?

Already Debunked by RIM

[_DangerousDwarf]

From the Globe and Mail

"Although not all of a BlackBerry's messaging functions are encrypted, RIM has long maintained that it is unable to grant anyone access to its corporate e-mail service, which is encrypted from end-to-end. RIM responded in a statement late on Wednesday, saying it was necessary "to correct some false and misleading" information" that had appeared in the Indian media."

"RIM is providing an appropriate lawful access solution that enables India's telecom operators to be legally compliant with respect to their BlackBerry consumer traffic, to the same degree as other smartphone providers in India, but this does not extend to secure BlackBerry enterprise communications," the company added."

B'bye RIM

[Crypto+Cavedweller]

Any system that isn't designed to be secure against EVERYONE is secure against NO ONE. You're throwing away the enterprise business with both hands to the people that don't intentionally cripple their security, RIM ... and you'll deserve the results.

Re: Not BES, and only India

[Fjandr]

Won't matter once CALEA is amended to include non-voice public networks. It'll happen eventually.

This isn't to say I support the extension; I think those proposing it should be shot. That doesn't change the reality that it will eventually be enacted, whether it requires sneaking it into a broad authorization bill or actually getting the support to pass it on its own.

What BS!!!

[bayankaran]

This takes away the only major competitive advantage they had, which was that using RIM meant you knew no one in the indian government was going to steal your work and sell it to someone else (which is a serious concern in india).

Either you don't live in India or you have no idea about India.
Indian government needs the keys for its own stupid "war against terror". I am yet to hear Indian government or government agencies stealing corporate secrets / reverse engineering / trade secrets.
India is not China if thats what you imply. And the Chinese is doing what the Western civilization did 50 or 100 years ago.

Re:What BS!!!

[Sir_Sri]

I wouldn't even trust my uncles and cousins who work in pharmaceuticals oversight. In india.

And yes, china is far worse because the theft is state sponsored. India it's not state sponsored, it's more at the level of corporate espionage, and there's bugger all you can do about it.

And *pof*

[Z00L00K]

There goes the customers to some other solution that can't be eavesdropped.

Re: Not BES, and only India

[gnoshi]

Are you saying that email sent via the Android GMail app isn't encrypted between the device and Google's servers?

No, I'm not saying that GMail for Android (or via a browser, or iPhone) doesn't use SSL. However, GMail is an e-mail service using a client (on Android) which doesn't have support for encryption apart from SSL to the server. Sure, if I'm sending GMail to GMail that's fine - it falls into the same boat as MSN Messenger. If I'm sending to a non-GMail recipient, then that goes out the window.

There are other apps which can use GMail, and do provide encryption functionality, but as with TextSecure - how common is their use (with encryption)?

Landgrab

[Kirth]

I understand that India has a legitimate security need to be able to wiretap communications and so on..

Nope. This is a landgrab. Law enforcement is constantly talking about "going dark", where in fact, the light they have is much brighter than they've ever had before -- technology only made it possible to snoop on everything, and now they want the laws for actually doing so, and to lever out any countermeasures the user may take.

In the 80ies, wiretapping actually meant either a) placing a wiretap in the users phone or b) going physically to the phone switch where the user was connected to, and placing the tap there. Both only done with a judical warrant, and for very specific cases. Wiretapping was _complicated_.

Now, wholesale wiretapping is easy; so easy that a lot of people and companies take countermeasures. And now law enforcement wants "to have back" capabilities it never had?

Re: Not BES, and only India

If I were a member of the IC I would provide the CAs with root keys, partly to decrypt all information, and partly to make sure that the backbone of Internet security at least had a minimum level of security when it comes to RNG. If there were sufficient resources available, the safest bet would probably to have the CA's "signing server" to proxy the requests to the real signing server in the IC's server rooms.

the hobby of automotive

as the development of the auto field ,many many people like to purchase cars for their life,and the same to me,i like the the auto tools as a hobby.i am fascanated in a professional diagnostic tool,m35080 programmer
,it is easy to use Windows 98/2000/XP software.and Correct mileage for BWM odometers with M35080 chip. It can support BWM E65 / E38/ E39/ E46, etc.On the another hand,the newest version for the software is 3.0 now.As i find the product,i find my car indeed need the excellent tool.

What's the use of security?

[DerUberTroll]

If they are handing out their keys? Buch of prostitutes.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Urgh, just get rid of this story.

Regardless of what the Indian Government has said, RIM has stated quite clearly that they cannot hand over what doesn't exist. Slashdot Editors should know better than to shove this tripe up, much better if you just link to The Register article instead.

Re:Yes but this won't help - aboard RMS Titanic

So ... now India is the same as the United States?

Thou who own'eth the network knows all ...

See subject line ...

So much for India's IT Prowess...

...they are still using Blackberries. Wow. RIM might milk the Blackberry in India for a few more years, but RIM is finished everywhere else.

Re: Not BES, and only India

[CimmerianX]

Use GPG, no one has the private keys except for me and the remote party.

GPG with K-9 on my android works just fine.

Might as Well Have Gone with Android

The only left that differentiated BlackBerry for me was their focus on security over shiny touchscreens.