Monday, April 29, 2013

Blackberry isn't as secure as we once believed

While it's widely believed that Blackberry is the 'most secure mobile platform on earth', it seems that by Research In Motion's own statements, that isn't true.

http://docs.blackberry.com/en/admin/deliverables/21760/PIN_encryption_keys_for_BBM_1840226_11.jsp

The relevant portion of this document is:

"The PIN encryption key is a Triple DES 168-bit key that a BlackBerry® device uses to encrypt BlackBerry® Messenger messages that it sends to other devices and to authenticate and decrypt BlackBerry Messenger messages that it receives from other devices. If a BlackBerry device user knows the PIN of another device, the user can send a BlackBerry Messenger message to the device. Before a user can send a BlackBerry Messenger message, the user must invite the recipient to add the user to the recipient's contact list.

"By default, each device uses the same global PIN encryption key, which Research In Motion adds to the device during the manufacturing process. The global PIN encryption key permits every device to authenticate and decrypt every BlackBerry Messenger message that the device receives. Because all devices share the same global PIN encryption key, there is a limit to how effectively BlackBerry Messenger messages are encrypted. BlackBerry Messenger messages are not considered as confidential as email messages that are sent from the BlackBerry® Enterprise Server, which use BlackBerry transport layer encryption. Encryption using the global PIN encryption key is sometimes referred to as "scrambling".


In other words, every single Blackberry device uses the exact same 'secret' PIN to encrypt Blackberry Messenger messages. Whoever has that PIN can easily decrypt anyone's BBM messages. While RIM says that they only provide that PIN when required by law enforcement (like the fiasco in India a few years ago) the fact of the matter is that there is a backdoor in the BBM system and, if there's a backdoor, it can be exploited by anyone who knows how.

Remember when President Obama wanted to keep his Blackberry and RIM said they would have to 'harden' it to make it more secure? One of the things they likely did was change this global PIN to be unique to only his device.

Lastly, it seems email sent over the Blackberry Enterprise Server is much more secure as it is more heavily encrypted. But, as is usually the case, if you didn't encrypt it yourself and you don't control the keys, you can't guarantee anything.

Sunday, April 21, 2013

Want to participate in the CISPA blackout tomorrow?

Anonymous has called for an Internet blackout for April 22nd in response to the US House of Representatives passing the Cyber Intelligence and Protection Act (CISPA) on Wednesday. The collective is asking all websites owners to black their site out and replace site content with a message telling people about CISPA and why it's bad.


For those of you wanting to participate but not sure what to do, I've created a simple website page that you can download and use. Simply grab the script from my GitHub account by clicking here, upload it to your server, and either replace your main page with the new page or redirect your main page to blackout.html.

CISPA is dangerous and has to be stopped. We've beat it before and we can beat it again. We just need to stand together in solidarity.

Thursday, April 18, 2013

CISPA just passed the House. Fight moves to Senate, President

For those of you following the continuing fight for online privacy, the privacy invading "Cyber Intelligence Sharing and Protection Act", commonly known as CISPA or HR 624, has just passed the US House.  The legislation, which now heads to the Senate, greases the wheels for companies to share your personal information with the government. It also explicitly takes away your right to do anything about it should that information be misused.

While the bill, in its current form, is not expected to pass the Senate and President Obama has indicated he'd consider a veto if it did, the fact that such a dangerous piece of legislation has successfully passed the House by such a large majority should worry us all.

Here is a list of how each member of the House voted on the bill.

Since the bill will now go to the Senate, it's imperative that we begin calling our Senators now to express our concerns with it and ask them not to vote for it when it comes to the floor. You can find your Senators name and telephone number by going to www.senate.gov.

Wednesday, April 17, 2013

Is it the end of the road for Microsoft Windows?

According to this study by IDC Research, PC sales have taken the worst plunge in a generation. While some of that could probably be attributed to the growing popularity of tablets and handheld devices, a good amount of blame can be rightly leveled at Microsoft and their new, snazzy, Windows 8 operating system.

Since Windows 8 was introduced, its reception has been almost universally negative. It's confusing, it's too much change to fast, and it basically forces the user to learn what amounts to an entirely new operating system for little or no benefit. The catastrophe of Windows 8 seems to be even worse than that of Windows Vista.

Now is an excellent time for Microsoft to focus on Windows 7 or at least bring the Windows 7 Aero interface to Windows 8 and give users a little bit of solid ground. This would be the sensible move since many (most) of the complaints are about the new user interface, which Microsoft calls "Metro"...or "Modern UI"...or whatever they're dubbing it this week. But, no, instead of trying to stop the bleeding and give long time users something to hold on to, Microsoft is doubling down on the Metro interface in Windows "Blue" and shoving it harder and deeper down the throats of confused and increasingly angry customers.

I think this presents an excellent opportunity for alternative operating systems like Mac OS X and Linux to introduce users to their offerings. Since users have to learn a whole new system anyway, why not learn something better, more stable, more responsive to their needs and wants. I believe Linux, in particular, stands to gain the most from the surge of unhappiness as it can present itself as the free, easy to customize, non-control-freak, alternative to Windows and Mac. Not only can users tweak their machines to look and function in any way they like, but they can realize real money savings as software for the platform is largely free.

Overall, I believe this is the end for Microsoft Windows. Microsoft pushed too hard, to fast, and now they're paying for it. The PC landscape is going to get very interesting over the next few years. Sit back and watch where it goes. You might be surprised by what you see and how little of that it includes Windows.

Thursday, April 11, 2013

BitVendor is reaching for a funding goal. Can you help?

As some of you probably remember, I'm serving as lead developer on a Bitcoin related project called BitVendor. BitVendor is a point of sale system (glorified cash register and inventory management system) for Bitcoin (find out more here). I've been involved for a few months now and things seem to be going well.

We're a small team - just three people - working hard to develop a great piece of software that does the Bitcoin community proud. But we simply had to face the fact that, working on the project part time, we weren't going to get it done anytime soon. There's a lot to do and just too little time to do it.

So we started a fund raising campaign. You can find it by clicking here.

The idea is that we'd like to raise enough money for one developer to spend the next two months working full time on completing the software while the rest of us help out where we can and when we have time. We've estimated that $7,500 is enough to make it worth said developers time and so that's our funding goal.

With any luck (and with your help), we'll reach our funding goal in the 41 remaining days. It'll be tough, but I believe we can do it. So if you want to help out a worthy project that's seeking to help the Bitcoin community, please hop on over and make a donation.

Lastly, I know in my last post I said I'd be doing a series of security related post. Unfortunately, time has been very short and I've not had time to write them up. I'll get on those as soon as possible and should have the first article posted by next week sometimes. In the meantime, I'm working my behind off on BitVendor.