26 comments

[ 28.5 ms ] story [ 875 ms ] thread
Bonus feature: "For the record, I have absolutely no idea what this quote of mine from the Reuters story really means".
It means the person listening to Bruce had absolutely no idea what he was saying so when s/he paraphrased it, they just took words out.
And they complain that journalism is a dying profession.
How would a startup go about selling monitoring services to the UAE government?
Considering that the traffic is encrypted between the devices and RIM's servers, you'd have to try to 1) break the encryption or 2) gain access to RIM's internal network, and 3) check your morals at the door. Good luck.
they already have the monitoring capability. where they don't they just block the site/service (ie. Blackberry, Skype or any VoIP service really)

You might make a fortune selling VPN etc solution access to expats there though.

I wasn't asking specifically about this situation. I was considering niche markets like P2P. I know the government blocks torrents but I have seen many clients on the Gnutella network that are from the UAE.
Get yourself a partnership deal with Cisco or Juniper UAE. And before you set feet in Abu Dhabi, sell your monitoring services to another government (preferably the U.S. government.) Then enter into a public negotiation with Saudi Arabia.

Hard, I know. But as soon as you sell to the UAE the rest of the Gulf will follow. Wherever Abu Dhabi goes (not Dubai!) the rest go. Dubai is such an anomaly, it's hard to predict your success if you first gain traction there (unless you're targeting South Asia; success in Dubai almost guarantees success in the Indian subcontinent.)

Saudi Arabia is always the first to show interest in a new technology, and the second to last to adopt it. Dubai gets the first regional office. Abu Dhabi buys it first. Kuwait and Qatar watch from afar, and only join in after they negotiate the best deals for themselves, and they're the first to iron out their laws to accommodate this social change (Kuwait, specially, is the most socially progressive country in the region). Bahrain and Oman usually take their time, and along with them comes the Saudi government.

Note: this information is extrapolated from vague familiarity with mobile phone adoption, GPS, broadband, Co-Ed higher education, franchise western food chains, etc.

It's the little freely shared nuggets like this that makes this community incredible. Thank you.
>RIM makes a big deal about how secure its users' data is, but I don't know how much of that to believe:

It sounds like RIM is describing normal public key encryption. I'm not sure why Schneier thinks they have the plaintext, though admittedly "customer data" could refer to anything.

Since you're presumably entering the data (i.e., email text) using a BlackBerry device, running an RIM-developed operating system, device drivers and so on, RIM most likely "have" your data.

At least that was how I interpreted it, and it makes sense to me.

Especially considering on the other end your email comes out as plain text (it's not a requirement to send to other BB devices). Perhaps their messager service works completely encrypted, but as far as emails go that's surely not the case.
That's like saying Mozilla has emails you sent through Gmail, because you know they made Firefox. It doesn't work that way.
This is from the BES Security Technical Overview [1 p.30] [pdf]:

    Before the BlackBerry device sends a message, it 
    compresses and encrypts the message using the device 
    transport key. When the BlackBerry Enterprise Server 
    receives a message from the BlackBerry device, the 
    BlackBerry Dispatcher decrypts the message using the 
    device transport key, and then decompresses the message.
Doesn't that mean that BES has the plaintext?

[1] http://docs.blackberry.com/en/admin/deliverables/16650/Black...

BES has the plaintext, but where is BES located?
He makes an excellent point about that nonsense 'even we at RIM don't see the unencrypted data' which RIM seems to think convinces people. How can makers of the software doing the encryption not know the plaintext?
By not having control over the endpoints where the data is encrypted and decrypted, and being trustworthy.

Microsoft don't have the plaintext of Windows user's SSL encrypted web browsing, but they could if they changed their software to send them the plaintext too.

They don't have to do the encryption on their computers, they can do it on the devices.
Corporate email is encrypted between the Blackberry device and the corporate mail server. RIM has no access to it.

Consumer email is encrypted between the device and RIMs own servers, therefore they have access to that data, just like any other ISP-hosted mail.

BlackBerry Messenger traffic could be encrypted device to device, but I don't know if that's actually the case.

Related: In 2009, Etisalat prompted its UAE BlackBerry users to install a surveillance application disguised as a performance update[1]. The update resulted in crashes and lowered battery life resulting in RIM to issue its own update to remove it.

[1]: http://news.bbc.co.uk/2/hi/8161190.stm

Schneier and WSJ seem to put an emphasis on the concept of government interest in monitoring its citizens (or subjects in the U.A.E. I guess). The internal motivations for this action may be different. For example, maybe the U.A.E. sees BB as a bit of critical infrastructure that they don't want other countries to be able to monitor.

First article: "The U.A.E. acted after RIM refused to set up a proxy server in the country as required by its 2007 contract with telecom provider Emirates Telecommunications Corp., a majority of which is owned by the government, according to the person familiar with the situation."

Second article: "The U.A.E. wanted RIM to locate servers in the country, where it had legal jurisdiction over them; RIM had offered access to the data of 3,000 clients instead, the person said."

Some countries that are kingdoms still refer to the people as 'citizen'. United Kingdom passports says "British citizen"
It can also have other legal implications. We (a non-US company) just got informed by legal that we shouldn't email copies of our patents internally because our email supplier is in the US - and any of our patents could be regarded as US property.

So a contract sent on a Blackberry between two UAE parties - could come under Canadian law.

To be completely honest, I think this is a ploy by RIM to make them seem insanely secure. So secure that paranoid countries want to ban them because they can't evesdrop on their people.
RIM should sit tight and do nothing, IMO. Those 500,000 users are likely to be the most important movers and sheik'ers in the Saudi kingdom. When their Blackberry service goes dark, the government absolutely will be held accountable.