Saudi Says RIM Deal Reached; BlackBerry OK, If We Can Read the Messages 185
crimeandpunishment writes "There's a deal on the table to avert a ban on Blackberry's messenger service in Saudi Arabia. A Saudi regulatory official, speaking on the condition of anonymity, told the Associated Press the deal involves placing a server in Saudi Arabia ... and letting the government monitor users' messages, easing Saudi concerns over security and criminal usage. The deal could have wide-ranging implications, given how many other countries have expressed similar concerns, or in the case of the United Arab Emirates, have threatened to block Blackberry email and messaging services." Perhaps the governments of UAE and India would be satisfied, too, if only they had access to the messages transmitted.
...and RIM capitulates. (Score:5, Interesting)
Guess they don't have any backbone to just drop the country and let the end-users take action.
Privacy (Score:2, Interesting)
I'm glad I have it.
(At least for now... my fellow US citizens seem to be completely blind to the forces at work to destroy our privacy.)
money talks, freedom walks (Score:4, Interesting)
really, that's all that needs to be said.
fwiw, I have lost all respect for RIM and will not buy their products for my own personal use. they were on the high moral ground for a while but now that they've caved in, they are no different than the other 'carriers'.
their security is now rendered 'untrustable'. what a shame.
another one bites the dust.
Travellers? (Score:5, Interesting)
I see how this solution would work for customers of Saudi mobile operators, whose phones would be pre-configured to use the 'local' BB server. What about travellers from other countries - would they have to go into their phone and manually re-configure it to contact the Saudi BB Server? Would that basically be the same steps as if you were setting up to use a corporate-owned BB Server? What if you already use a corporate BB Server? Will your messages be blocked? If the email account you are trying to check is your company email account, and the only way to access it is through the company-owned Enterprise BB Server, are you S.O.L.?
Re:...and RIM capitulates. (Score:3, Interesting)
End-users won't fix the problem. RIM would simply lose money.
The Middle East not only doesn't play by our customs, those customs are utterly alien.
They want the technology, but they remain tribalist, Jihadist, Wahabist in the case of KSA, and none of this is changing for the better.
Re:they are a business, why should they care? (Score:3, Interesting)
Why should RIM care if they make sales?
Because it's the right thing to do.
Businesses only worry about ethics when they might cause a reduction in profits.
I have yet to hear a good argument that this should be the case.
Canada and USA and a lot of other countries trade with Saudia Arabia, I haven't seen them declaring trade embargoes over Saudia Arabia's human rights issues either.
None of which has anything to do with whether RIM is doing the right thing here.
Re:but is corporate willing to give them up? (Score:5, Interesting)
People deserve the freedom they get (Score:5, Interesting)
People deserve the freedom they get. Have you read the comments on BBC's article.
http://www.bbc.co.uk/news/technology-10899338 [bbc.co.uk]
Let me quite a few:
Abu Mohd, Riyadh, Saudi Arabia
I am an expat living in Saudi Arabia. For me the Blackberry is key to staying in contact with my family and friends in a way that I cannot do with other messaging services. I hope Saudi Arabia and RIM solve this situation. There are many people that work here who are away from their families that use this service. This ban would be one more reason to not come here, it does not help to the development of this country.
Suresh Haridas, Al khobar, Saudi Arabia
BlackBerry made our life much easier, whether we are using e-mail, internet, or BBM. A lot of people/students such as myself who live thousands of miles away from their family and friends really depend on BBM as a convenient medium to communicate. There is nothing compared to BBM in terms of quickness, convenience, and cost. On the other hand, I understand why governments such as Saudi Arabia, UAE, and others feel threatened. However, I am wondering why BlackBerry does not help these countries in terms of monitoring data and using their own servers to get to encrypted information.
Rakan H, Riyadh, Saudi Arabia
I am one of the youths who owns a BlackBerry and I completely agree that it is a major step in my country to protect it against any terrorist or anything that might affect our security. Also I believe all countries like the US should consider the same thing, because it is a tool that can be used among those people who can get access to national security and cause terror to communities. It is a perfect tool for them, cutting it off worldwide will definitely reduce the amount of global issues occurring. If it is necessary to protect the country then why not!
Jim, Singapore
I am a Canadian, living in Dubai and dreading losing my Blackberry. Most people I know are aware of the high level of security in the UAE and appreciate the benefits it provides. I would much rather lose some personal freedoms than take a chance with security. RIM has to understand that Dubai is a transit point for trade and potentially terrorism. Its population is continuously changing as over 80% of its residents are foreigners. UAE's high level of security is in the interests of the West. I am hopeful for a positive resolution but am not brave enough to buy up all the handsets that are selling cheap.
Ara, Dubai, UAE
Whilst it's perfectly true that any invasion of personal privacy in the name of national security is usually resented, I don't really understand the sense of outrage on this one. After all, don't the western intelligence agencies have extensive gathering facilities for the same sort of thing? I don't see the Gulf states doing anything more than our own governments, like it or not.
Re:Privacy (Score:3, Interesting)
The minute people seriously suspect that AES is breakable in large numbers, will be the minute China proposes their own IETF draft of an algorithm and the whole banking sector, and essentially the Internet will change algorithms overnight.
I have seen this discussion in every major security program, be it PGP back in the 90s, TrueCrypt, BitLocker, or any other program that is relied upon to provide security. This can be reduced to three states:
1: Governments do not have an easy backdoor. Result: This won't be told to anyone to keep the blackhats from flocking to the program.
2: Governments have a backdoor that is known to the world: e.g., their country uses Clipper chips, all SSL traffic has to use an escrow key, or the originator and his family is put to death, security appliances are used to MITM all traffic and insert their own keys, or other items. The blackhats will find another mechanism like steganography [1], tunneling over various protocols, or even go back to dead drops with physical media. As always, there will be low hanging fruit nabbed to show that the backdoors are working to catch criminals, but people that mean real harm will be out of reach.
3: Governments have a backdoor that nobody outside their intel department knows about. This could consist of a hole in the encryption algorithm, a backdoor in x86 chips that allow certain microcode instructions to be executed in ring 0 if it uses a certain undocumented header, a hidden RSA override key, or just knowledge of a weak link (hashing to 40 bits, using the hash as the actual key.) Here, if a government had access to information (like a criminal case where it was presented that data was obtained due to an algorithm or key storage weakness), the minute people found out that this was possible, the whole world would immediately change their algorithm selection or create an add-on which used another encryption technology. For example, if AES was found to be the cause of leaked data, TDES [2] would be reused or another algorithm used in AES's stead. Other means of encryption would either replace the algorithm, or have another pass using the new algorithm if it couldn't be replaced to ensure security. If the weakness was in hardware, countries will be building/contracting chip fabs and seeing about multiple architectures [3]. So in reality, a government could not use the fact that they had a backdoor for anything but the largest of cases, because the game will change fast once the security issue is known.
The RIM deal will put KSA into category #2, which is what they want. The smart criminals will have to move to another means of communication while the dumb ones are easily scooped up and made examples of.
[1]: Real stego programs, not the antiquated ones from the '90s that the Russian spies used. There are a lot of data streams that can easily have random bits inserted in them and nobody notice/care.
[2]: TDES was a hack so solid encryption could be done without a major hardware revamp. But other than for the tiny block and key size, it proved to be remarkably secure over a long time.
[3]: I'm sure that China could easily use their knowledge gained from various sources, or just what is done in their country's chip fabs to create their own architecture with an embedded hypervisor that could virtualize x86 machines. UNIX based operating systems could be easily cross-compiled for the new architecture (probably something like the Itanium with a crapload of registers, lots and lots of cores, and maybe even FPGA-like functionality to make any core on the die act as a GPU, CPU, FPU, x86 core, POWER6 core, or dedicated AES cruncher. Since the government would throw big dollars to subsidize this, even if it cost significantly more than an x86 chip, it would be mandated.)
Technically not feasible (Score:1, Interesting)
As a developer familiar with the Blackberry API and devices, I don't believe this "anonymous source" at all. Messages are encrypted on the device before they enter the network channel. It would be impossible for RIM to provide the Saudis or any other entity the ability to read these messages (outside of some hidden heretofore unknown backdoor which RIM has denied since its creation exists). It doesn't matter where in the world the server is (co)located.
Now, it is possible to turn off the cryptographic capabilities of the device via an IT policy. About every facet of the Blackberry device can be controlled upstream by carrier/owner installed policies, which is why it is so attractive in the enterprise. But this would be a "deal" between the Saudis and the telecos providing the devices and service. RIM doesn't control the carriers in the least, in fact, some of the stupid business descions made by RIM the last couple of years can be attributed to certain carriers, imho.
This whole story is rubbish from a technical standpoint.