I didn't read anything. Got the company name from the title, picked up my blackberry and called them. Then i got answers to my questions, then i bought their product.

Yourself and the other mod seem to be the only people in the whole thread more interested in Apple Inc products. I suggest you call elcomsoft and ask them about the platform you're using.
IOS for me is what runs in Cisco routers.

That kind of ignorance ("I didn't read anything --the-economist") can also be called pure stupidity.
Blind fanboism.
Trolling.

Trolling with a generous dose of BS at that. I wrote "iOS" not "IOS". The troll knows the difference unless he truly is stupid. And do say, he already had the phone number in his device? If not, he read something to get the number.

The statements some of these fanboi tolls use to argue their points are truly ridiculous.

I really can't see the reason behind the personal attacks against me from the moment you joined the thread, but yeah, whatever, have fun..

Yea, at this point he's just 'lying'.

I think you were the first to throw out the work 'troll', at me, when I was not the first to mention Apple.

Learn to read.

I'm not getting into calling people names or questioning where the fault lies. This sounds like a real problem.

Suppose someone chooses for their password a short, same case, letters-only password - which is fairly typical if you have to enter it every time you want to use your BB.

Anyone finding (or otherwise acquiring) the device can use this software to get into your blackberry, your personal info, and - by extension, I guess - your connection to whatever is available through your BES.

Again, this sounds like a real problem. First and foremost, everyone should either remove encryption from their media card, or change a password to one that's quite annoying - and strong.

The finger-pointing and name-calling can wait.

-jk

Exactly! Agreed.

And anyone who has used ANY computer in the past decade and not heard that ^^ message is deaf and dumb to begin with.

It is a real problem. A mixed case annoying and strong password is near unusable if it needs to be entered every time the device needs unlocking. There is always a tradeoff between security and usability.

I bought the software from the company mentioned in the thread. My letters/numbers 4-digit unlock code was spit out in seconds. The SD card is not even needed, any encrypted single little file from the card does the job.
This needs to be addressed urgently.

Oddly enough the developer of the app doesn't even say it works in the way you describe. Perhaps you're not trooful with us again?

Please clarify your last sentence. First you say the SD card isn't needed, then you say "any encrypted single little file from the card does the job". That doesn't make sense the way it you've stated it.

Also, I hope you know that saying "it needs to be addressed urgently" here has no effect on what happens at RIM. RIM doesn't own this forum or read this forum. You should direct your concerns and suggestions to RIM in that respect.

I don't encrypt my card (there's nothing sensitive on it) and I have no idea whether his test is accurately reported. However, if the OS encrypts files one by one rather than encrypting the entire card, it seems plausible the software would only need a single file to decrypt and deduce the password.


Regardless of who may read this board, RIM does need to address it, and soon. It's a major vulnerability.

If I were responsible for a BES installation and keeping corporate data safe, I'd be quite worried.

-jk
Posted via BlackBerryForums.com Mobile

It is the file(s) that is encrypted and not the card. If you have had encryption disabled and then it is enabled, only files that are written after are encrypted. And when encryption is then disabled, those encrypted files remain encrypted, and files written after encryption is disabled are not encrypted.

From what I read of the software, all you need is a file from the card, which of course means you do need the card to get the file.

What I think I understand is that if you want to be able to move the card to another BlackBerry and read the encrypted files on that other BlackBerry, then there isn't anything else RIM could have done. All other solutions require information on the handset, such as using the device key setting, or a so-called "salt," which would mean the user could only read the the encrypted files on the original BlackBerry.

The real true practical solution to protect the BlackBerry handset password from discovery in this instance is to either not enable encryption using only the device password, or to use a very strong password if you do.

I personally don't see a problem with a strong password for me and the way I use a BlackBerry. If I had a 5 minute time out forced on me it might be a different story. But setting a reasonable time out and manually locking my BlackBerry when I think I need to works for me.

I hesitate to think it's a big deal for RIM because from what I understand I don't know what else they could have done for users who want to encrypt but still want to swap cards between BlackBerrys. It is a big deal for those users, however, but they've created the problem if they are using weak passwords.
Posted via BlackBerryForums.com Mobile

Doesn't need the card, needs an encrypted file from the card. Clear now?

No, that doesn't make sense. Do you mean it needs an encrypted file on the device or on the media card? If it needs an encrypted file on the media card, then it needs the card also.

See the post above yours:
emphasis mine

Minor point, but that probably should have been, "all you need is an encrypted file from the card..."
Posted via BlackBerryForums.com Mobile

It doesn't really matter whether cloak-and-dagger types are hacks a single encrypted file so he can access your phone while your back is turned, or someone just goes after your BB with the card still inserted, hacks it, and gets while the gettin's good. It could be corporate espionage or law enforcement or your soon-to-be ex.

It all comes back to the same point: if someone simply acquires your blackberry - by whatever means - that has an encrypted data card or perhaps even just an encrypted file, then all your data, phone, and any BES access are all vulnerable to exploitation.

The only two safe options are to either not encrypt (and change your password if you leave any encrypted files behind) or use an annoyingly secure password (which lots of folks just won't).

The remarkably fool-proof BB protection of wiping of your phone after 10 failed tries (generally safe even with a short, easy password) no longer applies if you encrypt your data card. Regardless of semantics, this issue is a Big Deal and should get attention.

-jk

Just a little clarification...
This is only true if you choose to encrypt your media card using the handheld password as the key.
It is possible to encrypt to the device itself, and not the password.
If the encryption keys are based on the device ID as opposed to the handheld password, then this vulnerability goes away.

100% agree , no question about it. Problem is when a security feature is exploitable (which is rather common in the software world and nothing close to the drama some posts in the thread made it to be) the solution is vendor acknowledgement and patching of the vulnerability rather than the user running in circles trying to protect themselves from a poorly executed implementation.

You and i and some thousands of forum users may be some technically inclined. That doesn't extend to the whole of the platform's userbase.

The "vulnerability gone away" solution should only come down through the official vendor channels that manage the codebase of said software. In this case that means Research In Motion Ltd.