Slashdot Mirror
Police Say They Can Crack BlackBerry PGP Encrypted Email (sophos.com)
schwit1 writes: Police in two countries have claimed that they can read encrypted data from BlackBerry devices that are being marketed as having "military-grade security." The story originally broke when Dutch website Misdaadnieuws (Crime News) published documents from the Netherlands Forensic Institute (NFI), a Dutch law enforcement agency, stating that police were able to access deleted messages and read encrypted emails on so-called BlackBerry PGP devices. A representative from NFI confirmed that "we are capable of obtaining encrypted data from BlackBerry PGP devices," according to a report from Motherboard. On Tuesday, the Royal Canadian Mounted Police (RCMP) also told Motherboard they can crack encrypted messages on PGP BlackBerrys.
It's called "Pretty Good Privacy".
Thirty four characters live here.
BlackBerry has an intense cadre of Internet shills that likely will be defending them within about a day or two. Just watch.
For any sane person that cares about their privacy and safety, this should be the nail in the coffin for BB.
They aren't cracking PGP. This came from the forensics department. By far the most likely scenario is that they're able to recover either the key from memory/flash, or the unencrypted plaintext.
Also, people still use Blackberrys?
Nobody said anything about 'cracking'.
They were able to 'read' the messages after hitting the user with a wrench to get the password.
"we are capable of obtaining encrypted data from BlackBerry PGP devices,"
Yeah, that's kind of the point. You ASSUME that people can obtain your encrypted data. It's the decryption that counts. Where are they saying that they can actually decrypt stuff without having the private key?
PGP works great for Linux users. If I had to make a guess as to why it's not working so great for BB customers, I would just take a stab in the dark and say it's related to the fact that BB's CEO openly defends putting backdoors in phones and computers for "lawful access" by governments.
That makes it military grade in an unintended sense. If you're a general, you want the capability to monitor your drones and troops.
Does this mean those who are wanting backdoors in our devices have lost their argument?
They almost certainly can't "crack PGP"; they may, however, have found flaws in the way Blackberry uses PGP. Or perhaps they are simply referring to the fact that they can intercept data as it is being decrypted on the device.
So-called?
WTF with the scare phrase?
"I don't know, therefore Aliens" Wafflebox1
What's funny is that no-one except the Government of Canada uses Blackberries (and of course, probably terrorists) ...
so what the RCMP is saying here, is that they car crack the blackberries of their fellow co-workers.
your tax dollars at work !
Great.
Using PGP/GPG from the command line, I have some control over what happens, where the decrypted data resides, etc. When it's all wrapped up in some opaque GUI that tries to dumb the whole thing down and shove it out of my control, that introduces many weaknesses that an attacker can exploit.
Just use GPG from the command line on data you very carefully control where it resides - e.g, never unencrypted on a disk.
I don't want the Royal Canadian Mounted Police reading my messages, and I don't care HOW much they are into taxidermy.
This is a company that takes BB phones and puts their own encryption software/tools on it. This has nothing to do with BB from what I can see. How is any of this on Blackberry except for the speculation that it may or may not involve a backdoor mechanism, which is not proven and which BB has always denied.
I'm curious as to why any agency would announce that it could read these messages publicly? The bad guys now won't use this perhaps? It's akin to the national argument over Snowden revealing the collection of phone records and everyone screaming how the bad guys will now have this info and that put everyone at risk.
And so can the US government, contrary to what they say. They have been able to crack PGP since 1996 when they dropped the case against Zimmerman. At the time encryption technology was considered a munition under the Munition Control Act of 1954. When they developed the ability to crack PGP the case against Zimmerman was moot. It's never been admitted by the government, but that could be the only reason for dropping a case they had pursued for years.
Some of it to coerce citizen behavior, like convincing people that the encryption on their phone's isn't effective so that they wont use it.
printf "U2FsdGVkX1//ccm8BS49awOPN+pijVF1sOLRYrWUE2A5m7wZDpS26n3QCxl181gQ\nIJLkgsJ9UaJEYz+/Xfoz7g==" | openssl aes-256-cbc -a -d
If they truly had that capability, I doubt, they would've advertised it. The announcement seems intended to scare people off using Blackberries — perhaps into some other devices, which the police actually has easier time with.
Yep, just the sort of non-committal speak one would expect from the police. It sounds like they cracked it to a layman, but does not actually say so...
And even if they can, actually, recover the text, from the above quote it seems like they still need the sending and/or receiving Blackberry device to do so. In the latter case, the "cracking" would not be much of a feat at all, because that means possession of the recipient's private key...
In Soviet Washington the swamp drains you.
... BlackBerry devices that are being marketed as having "military-grade security."
To be fair, Blackberry / RIM never said whose military.
It must have been something you assimilated. . . .
They don't say how they did it. Did they guess the user's password? Was this a BES controlled device? What model? What version of software?
As a BES admin, I'm not too concerned at this point.
"A plan fiendishly clever in its intricacies"- Homer Simpson
I saw this summary somewhere a few days ago, and was like "whatever I don't use Blackberry and don't trust them anyway".
Then it hits here, and immediately posts point out that these are third party modifications on Blackberries that are getting cracked. That seems an important detail- the clickbait headline had just meshed with my worldview, so I was assuming this was a problem with Blackberry based on the headline.
Granted, I didn't read TFA when it was in summary before. But the fact that this really means that the third party modifications are imperfect is not really hinted at. Like "Police can read all iphone data" and it applies to a safe that police can break into that was advertised as being police-proof for some reason.
Mod some of those guys up pls.
I'm no Blackberry fan. I would never trust the company and I sure don't use one. But I'm surprised that everyone just seems to accept the claim. I expect that if there were any secure device out there that several gub'mints would be actively telling people "oh, we can crack that", a message which comes across as "Don't use that if you want to keep your communications private" and ends up steering people to devices that the snoops really can crack. Maybe they can crack it, but if so why tell us about it? I don't have enough trust in any government to believe this blindly.
I'm an American. I love this country and the freedoms that we used to have.
Yeah I'd bet the code looks like this:
save(msg, temp_file)
encrypt(temp_file, encrypted)
mail(encrypted)
delete(temp_file)
Retrieving the plaintext is therefore a matter of recovering the deleted temporary file.
Your line "whatever I don't use Blackberry and don't trust them anyway" precludes this article being important in either case.
> whatever I don't use Blackberry
or commas, apparently.
A few posters nailed it, this is a 'Fear campaign' against an OS that LEO's have never been able to penetrate. FACTS: 1. The core of the Blackberry 10 OS is QNX which is used for Aerospace/Defense systems. https://en.wikipedia.org/wiki/... 2. The current LEO issued "Smartphone Recovery Kit" as advertised does NOT support BB, but does crack iPhone & Android Smartphones http://www.npr.org/2014/03/20/... 3. Not one shred of ACTUAL/PHYSICAL evidence? Just numerous 'stories' or references to vague third-parts apps... 4. While other Gov. Officials in various countries have had their communications hacked, Obama (and the last few Pres) have NEVER had their phone compromised......guess what Obama himself uses? dun..dun...dun.........BLACKBERRY http://www.zdnet.com/pictures/... I feel sorry for BB as a company, there has been a coordinated campaign for years to discredit and destroy them, granted US consumers aren't smart enough to value security and chose Free Apps/Cheap Price (Android) and Hip/Youthful (Apple) which, in a word, sucks :(
THIS IS MY FIRST POST TO /.
I know this is a polarizing opinion argument, but I tried to post links where possible and hope this helps clear some misconceptions!
3 Slashdot
No no no, it should have been something like:
"You are all cows, 512 bit DSA using Cows!" You have to make reference to the actual topic at hand like the real Cow Guy.
If there is some point or another in which the key is present on the phone, then there is likely a way to use it. The key itself being probably a 3072 bit number itself can't be brute forced or even algorithmically weakened to something meaningful. The user however doesn't type a 3072 bit key each time. The private key is stored on the phone and encrypted with a 8-10 character password which is likely based on the 70 (or so) easily typed characters on the keyboard. So, it's only necessary to weaken the cipher for the key store and brute force the rest. Since almost all mail starts with some form of SMTP header, it is likely a really easy search.
It may be true, but another reason to claim such success would be to scare people away from using something they can't crack.
A berry.
Almost certainly a non-technical person making that statement. They're probably thinking "we got messages of an encrypted BlackBerry before, so obviously we can crack PGP", when actually they used social engineering or threats to obtain the password.
break a series of encrypted emails held on Blackberrys modified by Canadian firm Phantom Secure
Conclusion: (a) don't get phones modified by a shady third party with government connections, and (b) don't take Slashdot summaries at face value (but we never learn that one, do we)
"Politicians and diapers must be changed often, and for the same reason."
I practically read the comments section just to find out how the headline is lying to us.
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
Duhno, I had no problem believing that was sexconker ...
The original Dutch article shows a letter from FIOD (Fiscal Information and Investigation Service) asking NFI (National Forensic Institute) to decrypt the contents of a Blackberry Curve 9320. NFI said the retrieve data from the phone using Cellebrite's UFED 4PC software and then decrypted it using NFI's own method.
The also say the receive a NFI report that describes the case where 279 out of 325 encrypted messages on a Blackberry 9720 could be decrypted.
It is my experience that the police say a lot of things, and most of them are lies. Especially things told on a witness stand.
Dumb executives are deeming user portable devices safe enough for general purpose use.
The same ones that gave Blackberry fan club status - once.
That is emails etc on iPads and the like are all up for grabs, and so called remote wiping is not a given either. The jig is its a work supplied device, but strangely Samsung BYO is not on offer.
I conclude Blackberry is on the nose, and more people will move away - because flash words like 'military' now mean zip. short short short I say.