Shostack + Friends Blog Archive

 

This May Be FUD

IndianBB.jpg

You may have seen this article from the India Times, “Govt may get keys to your BlackBerry mailbox soon.” Many people have been commenting on it, and the hand-wringing should build up to a good storm in a few days.

The gist of the article is that the Indian Government has told RIM that if they can’t read BlackBerry email, they might just ban all BlackBerries from India, and that RIM is caving.

Being the sort of person I am, I called someone who actually knows something. I can’t tell you anything more, precisely because they actually know something.

What I was told is that this is complete FUD and false. The BlackBerry crypto is real crypto, just like SSL, PGP, S/MIME or anything else. The keys are generated on the handsets and on the BES server. There is end-to-end crypto, using real protocols like SPEKE. RIM doesn’t have the keys to give. RIM cannot give the keys over because only the devices have them.

Of course, as is true in all hatchet jobs, the lead is with weasel-words:

In a major change of stance, Canada-based Research In Motion (RIM) may allow the Indian government to intercept non-corporate emails sent over BlackBerrys.

See that? It’s the word may.

Here’s my own text, which I know may be true because I just may have made it up:

In a major cryptographic breakthrough, Canada-based Research In Motion (RIM) may soon put quantum cryptography in all new handsets, preventing any interceptions, because it’s well, you know, quantum, and quantum is cool.

Or this:

In a major scientific advancement, Canada-based Research In Motion (RIM) may have accepted an order for 10 million BlackBerrys from space aliens living on Epsilon Erandi. A faster-than-light (FTL) email relay server may be installed at Barnard’s Star as part of this groundbreaking, er, space-breaking agreement.

And even:

In a major economic development, Canada-based Research In Motion (RIM) may have purchased the Large Hadron Collider from CERN. According to officials close to the development, Canadian High Commissioner David Malone may have approved the deal not merely despite, but actually because of the chance that the LHC could create a small black hole that would devour all of France. “Canada is just fed up with the pointy-lips in France making fun of their accents and may have decided to take proactive action. Details on this one will be provided in two or three weeks,” sources close to the deal may have told Emergent Chaos. No comment was available from the United Nations at posting time.

May, while a merry month, may also be the tool of liars.

RIM, I know you’re reading this, not only because we are one of the top 25 blogs, and not at all because we speak for the President of the United States, but because Adam used to live in Montréal and is no pointy-lips. Please, please give us a definitive statement. You have to call bullshit on this sort of thing before it becomes destructive.

I know and you know that there would be no better publicity for you than to call their bluff and say, “D’accord, pas des mûres pour vous.” We would all cheer. BlackBerry sales will soar.

Photo “Indian BB” by Edlimagno.

3 comments on "This May Be FUD"

  • PHB says:

    The encryption is not end-to-end. In fact thats something of a meaningless concept unless Alice and Bob can do large digit modular arithmetic in their head AND SHA-1. I gave up doing that after we moved from MD4 to MD5.
    All encryption is end-to-end between at least two ends even if its just the next hop in a chain.
    The encryption in RIM is only between the mail server and the device. In order to perform an intercept you serve the party holding the server. Thats what happens here in the US and its what will happen in India.
    Now in some cases govts want to be able to do an intercept without knowledge of the server. And that is particularly the case when its a business that might be engaged in something illegal or just a foreign competitor they want to illegally nobble. So they might be demanding some sort of backdoor.
    So US companies doing business in India might well be advised to bring their RIM server code in from the US and not mention this to the hyper-efficient Indian justice system that only takes 25 years to settle a civil case over a drain.

  • Steve says:

    The article specifically notes that this would apply to non-corporate users, so no BES. So, the endpoints are the handset and RIM’s servers, so RIM certainly have at least one set of keys. The problematic part for RIM is that they probably use the same keys for all their servers, and so it isn’t just Indian customers who would be violated.

  • Dave Birch says:

    I always call these “pork pie” phrases because of these lines in “How to get ahead in advertising” with Richard E. Grant…
    Clergyman reading the newspaper: “The police say the bag may have contained drugs”.
    Richard E. Grant: “It may have contained a pork pie”.
    P.S This film also has one of my all-time favourite movie quotes. Richard E. Grant is looking at the health warning on the side of a packet of cigarettes and says “the only f**ker this ever frightened was the Chancellor of the Exchequer”.

Comments are closed.