Tuesday, November 02, 2010

In which I get irritated, and show someone what "Expert" REALLY means

Now, I think all my regular readers know, I am without any reservation, an expert on both mobile telecommunications, and on information security. I have both extensive knowledge, and extensive experience in both fields; and frankly this should be obvious by even a cursory reading of any one of my postings on the subject.

Normally, I just use the verbal shortcut "I do this for a living", and that gets the point across... but sometimes, not so much.

So, on another site, someone asked for useful comparisons between the iPhone, and the Blackberry. As I am intimately familiar with both, I decided to chime in; and included a bit of data about Android in the process.

So, here goes:
"I have all three of the major smartphone platform devices (all others are now obsolete if not orphaned - sorry palm, nokia, sony-ericsson et al), a blackberry being required for work, and having switched from iPhone 3gs to Android (DroidX) a few months ago.

The iPhone (platform) is a computer with a smoothed and simplified interface, no hardware keyboard, and a locked down software base, that happens to make phone calls.

The Blackberry (platform) is an email appliance, with a not particularly smoothed and simplified interface, generally a hardware keyboard, and a locked down software base, that happens to make phone calls.

The Android (platform) is a computer, with a reasonably well smoothed but not particularly simplified interface, which is nearly completely customizable, can have either a hardware or software keyboard, has a wide open software base, and happens to make phone calls.

Of the three, the iPhone is the "best done"; as in the smoothest implementation, the cleanest hardware integration etc... It's also the most expensive by far, and the most limited in options... though the huge application base does in part make up for it.

The Android is slightly less "well done", but is improving constantly, has near infinite options, and the application base is growing rapidly.

The blackberry platform will be dead in three years. It is the most limited in functionality, it has serious security problems, it has serious privacy issues; and the one and ONLY thing it does very well, email, can actually be done just as well if not better by the others. The only thing keeping Blackberry alive right now is the large corporate install base, and they are largely looking at the next tech refresh period and looking to integrate Android and iPhone.

My company, one of the largest and most conservative in the world, and one of the largest blackberry customers (over 100,000 blackberries in our various organizations and divisions) has already certified iOs and its enterprise exchange connector, and already offers iPhones. I just can't have on in my area because AT&T's network is crap here. They also offer support the iPhone vpn connection. They are in the midst of validating and certifying the VPN connection and exchange connector over VPN for Android.

I know that pretty much every other company in our sector is doing the same thing, as are many former clients in healthcare and medical, finance and insurance, and technology.

The only big organizational customer not looking to dump blackberry right now is the fedgov, and that's because they have a "special relationship" with RIM regarding security.

Guess what? They also have that same relationship with Microsoft, and there is a trusted secure version of Windows Phone 7 on the way (as it happens, a good friend of mine is a senior developer in the WinPhone7 devteam. I'll have to pick his brain on that). From what I have heard from inside GD though, the next secure mobile telephone unit from General Dynamics, will be running WinPhone7.

Best bet? RIM gets acquired by someone looking to make a play in enterprise messaging (Cisco? MS?) and becomes a software and backend company, offering groupware sync from cloud to mobile and back to desktop. 
WinPhone 7.... ask me in a year. "
So, pretty straightforward right? Nothing particularly earth shattering, or for that matter insultworthy right?

Well, apparently there was....
@IncorrectUser1 "@AnarchAngel, You're wrong about Blackberry. It's the ONLY device that offers full security for the end user."
@IncorrectUser2 "AnarchAngel wow are you uninformed to say the least. RIM and their Blackberry devices are VERY secure, they are highly encrypted and provide great security for their end users. RIM recently risked getting banned in India and the UAE because of the encryption and security they had on their devices because it wouldn't allow the government to spy on their users. Apple and the iPhone don't have this kind of thing. As for Microsoft, they hand over every way they know of to let the government to spy on the users of their software, with little more than a kind word.

As for the security issues with RIM and the Blackberry, they pale in comparison to the iPhone, it gets jailbroken, aka hacked, within days of releasing the new version. I won't even start with the amount of security issues that Microsoft has, however XP was certified with the "you showed up and turned on the computer" security level by the NSA when it went in for test. Blackberry's Unix got rate higher than that."
Whoa boy.... he don't know who he's talking to, now does he....

This is the part where I get tired of half  "experts", and let my inner asshole free for a minute...
"Norrmally I hate this, because it degenerates into pointless shouting, but f**k it, let's play.
Before you call someone uninformed, because they disagree with your marginally informed opinion, you should know who it is you are dealing with.
I'm chief infrastructure architect for the retail, credit card, and internet banking division (yes, they're all one division) of a major bank; and was a security architect and consultant for years before that.
My work as a consultant, included work in information and communications security for Lockheed Martin mission systems, and General Dynamics.
If you know anything at all about security, especially about security in mobile communications, you will understand the significance of that. 
I was also an intelligence officer in the USAF(R). My last two years in the reserves were spent in communications security. In fact, that's primarily how I got the contracts with Mission Systems and GD to begin with. If you happen to know anyone in that world (which I rather doubt), I could give you contacts to verify.
I am being somewhat vague here, because of security considerations, both from a clearance standpoint, and from a professional responsibilities and ethics standpoint; and of course because of NDAs.
Now, if you want to start arguing security credentials, great: I'm a CISSP, and CCIE (security). I'm a certified systems engineer/expert and Instructor for Checkpoint, Nokia, Netscreen, Sonicwall, RSA (SecureID), McAffee, Symantec, and ISS. I am certified as a security engineer and to give instruction on security in Windows Server (up through 2003. I didn't bother recertifying for 2008), Redhat Enterprise Linux, Solaris, HPUX, and AIX.
I should say, I WAS all of those things. Some of those certs have expired, or were dependent on working for a certified training partner (as my information security consultancies were, for various vendors, as were the consulting practices I worked for). I honestly don't keep track. In IT one collects certifications all over the place, and generally you only maintain them if someone else is paying, or they are critical for the job you are doing.
As a consultant and professional trainer, I have trained thousands of other engineers and architects on the principles of information security, on how to evaluate information security, and on the specifics of implementing security technologies in their environments.
I have two published textbooks (co-author) on information security, as well as dozens of published articles in industry publications.
I co-founded and acted as chief technical officer for two different independent security consultancies.
I was the senior security architect and senior consultant for three other nationally and internationally known consulting practices.
I am one of the co-founders of the Linux advocacy council, and a former chair of its security subcouncil. I was a frequent presenter before the Irish Information Security Forum (IISF), including presenting one of the keynotes at the first general meeting in 2001; and the European Information Security Forum; as well as a presenter or co-presenter on information security topics at SAGE, USENIX, Defcon, and several other industry events, multiple times.
I, as chief architect for one of the partners in a technology alliance, along with security engineers and architects for Hitachi, EMC, Brocade, and Juniper; co developed, and assigned as developers, patents on a number of security technologies relating to secure multiuser SAN environments, SAN switching security, secure distributed SANs and SAN firewalling.
If you have any idea who works in security, we can talk about the people I know, and who knows me...
Oh and just coincidentally, I happen to know the delivery manager for the next generation Sectera mobile Secure Telephone Unit from General Dynamics. As it happens, she's engaged to my best friend. They're supposed to be married in April, but I think they're changing the date again. She works out of the facility on McDowell in Scottsdale. Great lady. Third generation Mexican American, but she talks like a California girl. 
... but frankly, I really don't need to do any more dick waving. If you know anything about information security, or have worked in the field, you probably already know who I am. If not, it would be meaningless to you anyway.
But, let's just get this clear.... I am almost certainly better informed, more knowledgeable, and have more experience in this subject, than you.
Now, having taught someone what "Expert" REALLY means, I get down to destroying their misinformed points.
I know all about Blackberry and RIMs security; both in the commercial and government context.
For one thing, I know that the NSA, DIA, CIA-S&T, and DISA have both been working with RIM and simultaneously trying to get rid of them in government service BECAUSE OF SECURITY CONCERNS, for years. I have worked on several associated projects and contracts.
Why the hell do you think they made Obama stop using the blackberry for presidential business. It's certainly not because it was "too secure" and the NSA wanted him to use something less secure. There is a REASON they made him move to the GD Sectera mobile STU.
Why do you think JSOC just put out the order to switch to Android phones and iPhones, with a newly developed set of security tools; and are migrating their enterprise connectors away from BlackBerry Internet service and Blackberry Enterprise Server, and to Android and iPhone enterprise connectors as soon as they can (last I heard they estimated it would take two years).
Thanks to NDAs, I know a hell of a lot more than I WANT to know about RIM and Blackberry "security".
Now, the difference between Blackberry, and the iPhone and Android systems, is that Blackberry pretends to be secure, and assumes a trusted third party. Neither Apple, nor Android do.
If you are using Apple or Android in an enterprise messaging application, you encrypt all the traffic end to end, with encryption that you manage, using industry standard protocols. At no time in flight is any communication un-encapsulated or decrypted, and at no time does un-encapsulated cleartext pass through any systems controlled by either Apple or Google (though like all encapsulation systems, endpoint analysis and volume analysis are possible for elements of traffic analysis).
All three operating systems have exploits. Most of them are zeroday rooted with every update and revision. The point is, DON'T TRUST THE PLATFORM, and most certainly don't trust any third party.
No system that requires a third party controlled messaging server can be guaranteed to be secure or private.
No system that requires proprietary protocol use, managed and controlled in an unaudited code base by a third party in a remote location, can be guaranteed to be secure or private.
No service that depends on the good auspices of a third party to function (excepting public key services with a trusted certificate authority), or that requires third party management access (in the case of enterprise, onsite, organizational, or nationally controlled blackberry servers for example) is reliable or highly available, in the context of high security.
That is how BES and BIS function, therefore no system depending on BES and BIS can be said to be secure.
The three elements of security are Confidentiality, Integrity, and Availability. With Blackberry, you can't guarantee any of the three, not because of the base technology, but because their system architecture builds in this weakness explicitly.
There is a REASON why, repressive governments allow Blackberries. It's because RIM build holes in BES, and BIS, to allow those governments to spy on blackberry users within their countries (to varying degrees. RIM has proven very willing to work with governments). They allow the NSA and the FBI to spy on users in the US and Canada, BY FEDERAL LAW in both nations; as well as by consent decree.
They don't disclose this publicly in plain language, but it's not exactly a secret either. It's easy enough to understand when you read what they DO say.
No, Blackberry email services and blackberry messenger are NOT secure; with regard to governments.
They are regarded as secure commercially, only because any company that could prove a breach by RIM would sue them into oblivion; and for commercial purposes that is considered adequate.
Apple and Android have their own security issues; but they are host based, and can be addresses at the host level, rather than an inherent weakness based on infrastructure architecture.
... Or at least no weakness every other device that depends on the TCP/IP stack doesn't also have anyway.

And that folks, is what Expert REALLY means.