RIM Agrees To Hand Over Its Encryption Keys To India 164
An anonymous reader writes "BlackBerry maker Research in Motion's (RIM) four-year standoff with the Indian government over providing encryption keys for its secure corporate emails and popular messenger services is finally set to end. RIM recently demonstrated a solution that can intercept messages and emails exchanged between BlackBerry handsets, and make these encrypted communications available in a readable format to Indian security agencies. An amicable solution over the monitoring issue is important for the Canadian smartphone maker since India is one of the few bright spots for the company that has been battling falling sales in its primary markets of the US and Europe. In India, RIM has tripled its customer base close to 5 million over the last two years,"
Yes but this won't help (Score:5, Insightful)
Part of the appeal of RIM was that you knew governments weren't out there stealing secrets sent across your network. I understand that India has a legitimate security need to be able to wiretap communications and so on. But this isn't going to 'help' RIM. This takes away the only major competitive advantage they had, which was that using RIM meant you knew no one in the indian government was going to steal your work and sell it to someone else (which is a serious concern in india).
If anything, this just levels the playing field. And that's bad for RIM, because they aren't competitive.
Re:Yes but this won't help (Score:5, Insightful)
It's pretty clear what happened. They kept the keys secret and held out for a long time on "principle" because that was the best business decision at the time. Then, as the onslaught of iPhone and Android took its toll, the principle changed to survival, because that became the new best business decision.
It's sad, but at this point, it hardly affects any country but India anyway!
Moral of the story (Score:5, Insightful)
Moral of the story: If you do not control end-to-end encryption yourself, it is not secure.
Re:Moral of the story (Score:5, Insightful)
In this case you don't even control ANY part of the encryption, not even on your end. Something that is the absolute bare minimum for any kind of security.
Who does it effect? (Score:2, Insightful)
I think we need to make clearer what exactly the impact of this is.
Does an Indian businessman who bought a Blackberry in SouthAmerica and is working in Europe be assured on some level of privacy on communications?
Does an American businessman with a Blackberry bought in the USA visiting India on the way to China need to rethink how company documents are transmitted?
Not very clear, especially as the BIS keys can't and therefore haven't been handed over.
So we have a new server in India, but what is being routed through it?
Re: Not BES, and only India (Score:3, Insightful)
Are you saying you trust your smart phone to have only real, valid intermediate ssl certificates? Or are you so ignorant to think that governments aren't trying to man-in-the-middle SSL like crazy, especially on mobile networks.
Re:RIM's private keys (Score:5, Insightful)
Once again. For the last time....
RIM does NOT have the encryption keys used by BES servers. Those keys are held internally by businesses only, and those are then used (along with "random" data) to generate the device keys. Even if RIM somehow had the organization's master key, they wouldnt have access to the "random" data that was used to derive the device key (which is pulled from that "wiggle your mouse around for a while" procedure).
In other words, BES servers continue as unaffected as before. Call me when India figures out how to large-scale crack AES256 with unknown keys.
Re:Sell now (Score:5, Insightful)
It seems to me VPN or IMAP over SSL has all the advantages of BB without the risk they'll sell you out. And has for some time.
yeah, I was pointing this out to clients as early as 2004. I had a working IMAPS client on a Treo 650 at the time. They wanted Outlook integration over security (despite always talking about their multi-billion-dollar IP that had to be protected at all costs). Lesson learned: most people don't care about security, they just say they do.
Re:Yes but this won't help (Score:5, Insightful)
Re:Yes but this won't help (Score:2, Insightful)
sure that they don't ship a backdoor? that's essentially what they're asking for "This satisfies India's core demand that RIM provide intelligence and security agencies with automatic solutions to monitor all communication on BlackBerry smartphones on a real-time basis, an official aware of the development said."
it's a pretty crazy requirement for a device that allows programmable code and tcp/ip though.