tag:blogger.com,1999:blog-6273930.post8936962019005025263..comments2024-03-08T07:29:54.585-04:00Comments on Canadian Privacy Law Blog: RIM reportedly gives Indian government access to full range of BlackBerry messagesprivacylawyerhttp://www.blogger.com/profile/03943567746055311435noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-6273930.post-13999282063439994252012-04-27T01:14:13.183-03:002012-04-27T01:14:13.183-03:00Thanks for your reply.
Within the open systems y...Thanks for your reply. <br /><br />Within the open systems you imply, the components the user chooses are less likely to be as secure as the ones that a government requires the cooperation of the "ultra-secure communications platform" to change it's policy. When the vendor has to be asked, rather than simply just have vulnerable hardware and software subverted, then the nation state runs the risk that the vendor will disclose the demand and their response.<br /><br />Regarding your suggestion of choice leading to perhaps more security: I don't see FIPS-140-2 level 3 or CC EAL4+ certified components available on the Google App Store. So asserting that choice = higher security isn't evident to me. Not that these are the sole criteria for assurance. But begging a disagreeable vendor for rights to do things that the vendor has no interest in pursuing on its own, is a risk of embarrassment for that Nation's policymakers. In other platforms this may not be necessary. <br /><br />That the policy was also disclosed, rather than opaquely wrapped in an NDA dungeon, is commendable. It won't help them sell phones.<br /><br />WynnWynnnoreply@blogger.comtag:blogger.com,1999:blog-6273930.post-27478254733071499842012-04-08T10:21:35.535-03:002012-04-08T10:21:35.535-03:00Thanks for your comment. I can't say I agree w...Thanks for your comment. I can't say I agree with all your conclusions and I also think you are reading too much into my brief posting. I did not say that an integrated system is less secure. In fact, it can be more secure as the entire continuum is under common control. That was RIM's strength. <br /><br />It is also the weakness as a government can more readily say you can't sell your devices in our country unless you do something. <br /><br />With an open system, the user can choose the components to use. Also, both the system and all of the pieces are open to scrutiny in a way that is not possible with a closed system.privacylawyerhttps://www.blogger.com/profile/03943567746055311435noreply@blogger.comtag:blogger.com,1999:blog-6273930.post-90209207205749748032012-04-08T10:06:26.543-03:002012-04-08T10:06:26.543-03:00Mr Fraser,
Its a sad statement when you only thin...Mr Fraser,<br /><br />Its a sad statement when you only think you control how apps communicate and your private communications. Application security testers are painting a bleak picture of mobile application security. Check out OWASP and the findings their members are turning up. Applications that find authenticaton or encryption too hard often just revert to cleartext. Recently a certificate authority was issued a "wildcard certificate" for a zone much larger that the requestor should have been allowed. This allowed the person with that certificate to decrypt encrypted communications which persons believe are private. That you even know about the deal RIM made is testament to its systems security. Evidently governments that make deals have not found more economical ways to achieve their goals, and haven't been able to subvert the controls surreptitiously. The only thing worse than intercepted private communications is the when the participants are not aware that their communications are being monitored, and act with a false sense of privacy.<br /><br /><br />And in that respect, in disclosing the situation, perhaps RIM should be noted as assisting Indian privacy rather that damned for being dragged into the politics of communications privacy.<br /><br />Finally the assertion that a disintegrated system like Android, with the worse device security record, the least capable cryptographic intrinsics and no central authority for security accountability, is invalid. In the history of computer security, there is no evidence that an integrated system is any more or less secure than a disintegrated one. In fact, the complex interrelationships orphan security as another tragedy of the commons. Google, carriers, handset providers, and users all think the other guys are "doing security". Their understanding is inhibited by security marketecture obfuscation rather than solid design integration and testing.<br />I'm sure its easy to pile on to RIM, but I assure you, its much harder to complete factual research on security assurance. I hope your readers don't believe what you claim. They will be the victims.<br /><br />Wynn FenwickWynn Fenwick, GCIA,GCIH,GAWNnoreply@blogger.com